radiusd -X log (eapol_test)

1. FreeRADIUS Version 3.2.3
2. Copyright (C) 1999-2022 The FreeRADIUS server project and contributors
3. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
4. PARTICULAR PURPOSE
5. You may redistribute copies of FreeRADIUS under the terms of the
6. GNU General Public License
7. For more information about these matters, see the file named COPYRIGHT
8. Starting - reading configuration files ...
9. including dictionary file /usr/share/freeradius/dictionary
10. including dictionary file /usr/share/freeradius/dictionary.dhcp
11. including dictionary file /usr/share/freeradius/dictionary.vqp
12. including dictionary file /etc/raddb/dictionary
13. including configuration file /etc/raddb/radiusd.conf
14. including configuration file /etc/raddb/proxy.conf
15. including configuration file /etc/raddb/clients.conf
16. including files in directory /etc/raddb/mods-enabled/
17. including configuration file /etc/raddb/mods-enabled/always
18. including configuration file /etc/raddb/mods-enabled/attr_filter
19. including configuration file /etc/raddb/mods-enabled/chap
20. including configuration file /etc/raddb/mods-enabled/date
21. including configuration file /etc/raddb/mods-enabled/detail
22. including configuration file /etc/raddb/mods-enabled/detail.log
23. including configuration file /etc/raddb/mods-enabled/digest
24. including configuration file /etc/raddb/mods-enabled/dynamic_clients
25. including configuration file /etc/raddb/mods-enabled/eap
26. including configuration file /etc/raddb/mods-enabled/echo
27. including configuration file /etc/raddb/mods-enabled/exec
28. including configuration file /etc/raddb/mods-enabled/expiration
29. including configuration file /etc/raddb/mods-enabled/expr
30. including configuration file /etc/raddb/mods-enabled/files
31. including configuration file /etc/raddb/mods-enabled/linelog
32. including configuration file /etc/raddb/mods-enabled/logintime
33. including configuration file /etc/raddb/mods-enabled/mschap
34. including configuration file /etc/raddb/mods-enabled/ntlm_auth
35. including configuration file /etc/raddb/mods-enabled/pap
36. including configuration file /etc/raddb/mods-enabled/passwd
37. including configuration file /etc/raddb/mods-enabled/preprocess
38. including configuration file /etc/raddb/mods-enabled/radutmp
39. including configuration file /etc/raddb/mods-enabled/realm
40. including configuration file /etc/raddb/mods-enabled/replicate
41. including configuration file /etc/raddb/mods-enabled/soh
42. including configuration file /etc/raddb/mods-enabled/sradutmp
43. including configuration file /etc/raddb/mods-enabled/unix
44. including configuration file /etc/raddb/mods-enabled/unpack
45. including configuration file /etc/raddb/mods-enabled/utf8
46. including configuration file /etc/raddb/mods-enabled/totp
47. including files in directory /etc/raddb/policy.d/
48. including configuration file /etc/raddb/policy.d/accounting
49. including configuration file /etc/raddb/policy.d/canonicalization
50. including configuration file /etc/raddb/policy.d/control
51. including configuration file /etc/raddb/policy.d/cui
52. including configuration file /etc/raddb/policy.d/debug
53. including configuration file /etc/raddb/policy.d/dhcp
54. including configuration file /etc/raddb/policy.d/eap
55. including configuration file /etc/raddb/policy.d/filter
56. including configuration file /etc/raddb/policy.d/operator-name
57. including configuration file /etc/raddb/policy.d/rfc7542
58. including configuration file /etc/raddb/policy.d/abfab-tr
59. including configuration file /etc/raddb/policy.d/moonshot-targeted-ids
60. including files in directory /etc/raddb/sites-enabled/
61. including configuration file /etc/raddb/sites-enabled/default
62. including configuration file /etc/raddb/sites-enabled/inner-tunnel
63. main {
64. security {
65. user = "radiusd"
66. group = "radiusd"
67. allow_core_dumps = no
68. }
69. name = "radiusd"
70. prefix = "/usr"
71. localstatedir = "/var"
72. logdir = "/var/log/radius"
73. run_dir = "/var/run/radiusd"
74. }
75. main {
76. name = "radiusd"
77. prefix = "/usr"
78. localstatedir = "/var"
79. sbindir = "/usr/sbin"
80. logdir = "/var/log/radius"
81. run_dir = "/var/run/radiusd"
82. libdir = "/usr/lib64/freeradius"
83. radacctdir = "/var/log/radius/radacct"
84. hostname_lookups = no
85. max_request_time = 30
86. cleanup_delay = 5
87. max_requests = 16384
88. postauth_client_lost = no
89. pidfile = "/var/run/radiusd/radiusd.pid"
90. checkrad = "/usr/sbin/checkrad"
91. debug_level = 0
92. proxy_requests = no
93. log {
94. stripped_names = no
95. auth = yes
96. auth_accept = yes
97. auth_reject = yes
98. auth_badpass = yes
99. auth_goodpass = yes
100. colourise = yes
101. msg_denied = "You are already logged in - access denied"
102. }
103. resources {
104. }
105. security {
106. max_attributes = 200
107. reject_delay = 1.000000
108. status_server = yes
109. allow_vulnerable_openssl = "no"
110. }
111. }
112. radiusd: #### Loading Realms and Home Servers ####
113. proxy server {
114. retry_delay = 5
115. retry_count = 3
116. default_fallback = no
117. dead_time = 120
118. wake_all_if_all_dead = no
119. }
120. home_server localhost {
121. nonblock = no
122. ipaddr = 127.0.0.1
123. port = 1812
124. type = "auth"
125. secret = <<< secret >>>
126. response_window = 20.000000
127. response_timeouts = 1
128. max_outstanding = 65536
129. zombie_period = 40
130. status_check = "status-server"
131. ping_interval = 30
132. check_interval = 30
133. check_timeout = 4
134. num_answers_to_alive = 3
135. revive_interval = 120
136. limit {
137. max_connections = 16
138. max_requests = 0
139. lifetime = 0
140. idle_timeout = 0
141. }
142. coa {
143. irt = 2
144. mrt = 16
145. mrc = 5
146. mrd = 30
147. }
148. recv_coa {
149. }
150. }
151. realm LOCAL {
152. }
153. realm NULL {
154. }
155. home_server_pool my_auth_failover {
156. type = fail-over
157. home_server = localhost
158. }
159. radiusd: #### Loading Clients ####
160. client localhost {
161. ipaddr = 127.0.0.1
162. require_message_authenticator = no
163. secret = <<< secret >>>
164. nas_type = "other"
165. proto = "*"
166. limit {
167. max_connections = 16
168. lifetime = 0
169. idle_timeout = 30
170. }
171. }
172. client localhost_ipv6 {
173. ipv6addr = ::1
174. require_message_authenticator = no
175. secret = <<< secret >>>
176. limit {
177. max_connections = 16
178. lifetime = 0
179. idle_timeout = 30
180. }
181. }
182. client private-network-2 {
183. ipaddr = 192.168.0.0/16
184. require_message_authenticator = no
185. secret = <<< secret >>>
186. limit {
187. max_connections = 16
188. lifetime = 0
189. idle_timeout = 30
190. }
191. }
192. Debugger not attached
193. systemd watchdog is disabled
194. # Creating Auth-Type = mschap
195. # Creating Auth-Type = digest
196. # Creating Auth-Type = eap
197. # Creating Auth-Type = PAP
198. # Creating Auth-Type = CHAP
199. # Creating Auth-Type = MS-CHAP
200. # Creating Autz-Type = New-TLS-Connection
201. radiusd: #### Instantiating modules ####
202. modules {
203. # Loaded module rlm_always
204. # Loading module "reject" from file /etc/raddb/mods-enabled/always
205. always reject {
206. rcode = "reject"
207. simulcount = 0
208. mpp = no
209. }
210. # Loading module "fail" from file /etc/raddb/mods-enabled/always
211. always fail {
212. rcode = "fail"
213. simulcount = 0
214. mpp = no
215. }
216. # Loading module "ok" from file /etc/raddb/mods-enabled/always
217. always ok {
218. rcode = "ok"
219. simulcount = 0
220. mpp = no
221. }
222. # Loading module "handled" from file /etc/raddb/mods-enabled/always
223. always handled {
224. rcode = "handled"
225. simulcount = 0
226. mpp = no
227. }
228. # Loading module "invalid" from file /etc/raddb/mods-enabled/always
229. always invalid {
230. rcode = "invalid"
231. simulcount = 0
232. mpp = no
233. }
234. # Loading module "userlock" from file /etc/raddb/mods-enabled/always
235. always userlock {
236. rcode = "userlock"
237. simulcount = 0
238. mpp = no
239. }
240. # Loading module "notfound" from file /etc/raddb/mods-enabled/always
241. always notfound {
242. rcode = "notfound"
243. simulcount = 0
244. mpp = no
245. }
246. # Loading module "noop" from file /etc/raddb/mods-enabled/always
247. always noop {
248. rcode = "noop"
249. simulcount = 0
250. mpp = no
251. }
252. # Loading module "updated" from file /etc/raddb/mods-enabled/always
253. always updated {
254. rcode = "updated"
255. simulcount = 0
256. mpp = no
257. }
258. # Loaded module rlm_attr_filter
259. # Loading module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter
260. attr_filter attr_filter.post-proxy {
261. filename = "/etc/raddb/mods-config/attr_filter/post-proxy"
262. key = "%{Realm}"
263. relaxed = no
264. }
265. # Loading module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter
266. attr_filter attr_filter.pre-proxy {
267. filename = "/etc/raddb/mods-config/attr_filter/pre-proxy"
268. key = "%{Realm}"
269. relaxed = no
270. }
271. # Loading module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter
272. attr_filter attr_filter.access_reject {
273. filename = "/etc/raddb/mods-config/attr_filter/access_reject"
274. key = "%{User-Name}"
275. relaxed = no
276. }
277. # Loading module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter
278. attr_filter attr_filter.access_challenge {
279. filename = "/etc/raddb/mods-config/attr_filter/access_challenge"
280. key = "%{User-Name}"
281. relaxed = no
282. }
283. # Loading module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter
284. attr_filter attr_filter.accounting_response {
285. filename = "/etc/raddb/mods-config/attr_filter/accounting_response"
286. key = "%{User-Name}"
287. relaxed = no
288. }
289. # Loading module "attr_filter.coa" from file /etc/raddb/mods-enabled/attr_filter
290. attr_filter attr_filter.coa {
291. filename = "/etc/raddb/mods-config/attr_filter/coa"
292. key = "%{User-Name}"
293. relaxed = no
294. }
295. # Loaded module rlm_chap
296. # Loading module "chap" from file /etc/raddb/mods-enabled/chap
297. # Loaded module rlm_date
298. # Loading module "date" from file /etc/raddb/mods-enabled/date
299. date {
300. format = "%b %e %Y %H:%M:%S %Z"
301. utc = no
302. }
303. # Loading module "wispr2date" from file /etc/raddb/mods-enabled/date
304. date wispr2date {
305. format = "%Y-%m-%dT%H:%M:%S"
306. utc = no
307. }
308. # Loaded module rlm_detail
309. # Loading module "detail" from file /etc/raddb/mods-enabled/detail
310. detail {
311. filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
312. header = "%t"
313. permissions = 384
314. locking = no
315. escape_filenames = no
316. log_packet_header = no
317. }
318. # Loading module "auth_log" from file /etc/raddb/mods-enabled/detail.log
319. detail auth_log {
320. filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
321. header = "%t"
322. permissions = 384
323. locking = no
324. escape_filenames = no
325. log_packet_header = no
326. }
327. # Loading module "reply_log" from file /etc/raddb/mods-enabled/detail.log
328. detail reply_log {
329. filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
330. header = "%t"
331. permissions = 384
332. locking = no
333. escape_filenames = no
334. log_packet_header = no
335. }
336. # Loading module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log
337. detail pre_proxy_log {
338. filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
339. header = "%t"
340. permissions = 384
341. locking = no
342. escape_filenames = no
343. log_packet_header = no
344. }
345. # Loading module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log
346. detail post_proxy_log {
347. filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
348. header = "%t"
349. permissions = 384
350. locking = no
351. escape_filenames = no
352. log_packet_header = no
353. }
354. # Loaded module rlm_digest
355. # Loading module "digest" from file /etc/raddb/mods-enabled/digest
356. # Loaded module rlm_dynamic_clients
357. # Loading module "dynamic_clients" from file /etc/raddb/mods-enabled/dynamic_clients
358. # Loaded module rlm_eap
359. # Loading module "eap" from file /etc/raddb/mods-enabled/eap
360. eap {
361. default_eap_type = "tls"
362. timer_expire = 60
363. max_eap_type = 52
364. ignore_unknown_eap_types = no
365. cisco_accounting_username_bug = no
366. max_sessions = 16384
367. }
368. # Loaded module rlm_exec
369. # Loading module "echo" from file /etc/raddb/mods-enabled/echo
370. exec echo {
371. wait = yes
372. program = "/bin/echo %{User-Name}"
373. input_pairs = "request"
374. output_pairs = "reply"
375. shell_escape = yes
376. }
377. # Loading module "exec" from file /etc/raddb/mods-enabled/exec
378. exec {
379. wait = no
380. input_pairs = "request"
381. shell_escape = yes
382. timeout = 10
383. }
384. # Loaded module rlm_expiration
385. # Loading module "expiration" from file /etc/raddb/mods-enabled/expiration
386. # Loaded module rlm_expr
387. # Loading module "expr" from file /etc/raddb/mods-enabled/expr
388. expr {
389. safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
390. }
391. # Loaded module rlm_files
392. # Loading module "files" from file /etc/raddb/mods-enabled/files
393. files {
394. filename = "/etc/raddb/mods-config/files/authorize"
395. acctusersfile = "/etc/raddb/mods-config/files/accounting"
396. preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy"
397. }
398. # Loaded module rlm_linelog
399. # Loading module "linelog" from file /etc/raddb/mods-enabled/linelog
400. linelog {
401. filename = "/var/log/radius/linelog"
402. escape_filenames = no
403. syslog_severity = "info"
404. permissions = 384
405. format = "This is a log message for %{User-Name}"
406. reference = "messages.%{%{reply:Packet-Type}:-default}"
407. }
408. # Loading module "log_accounting" from file /etc/raddb/mods-enabled/linelog
409. linelog log_accounting {
410. filename = "/var/log/radius/linelog-accounting"
411. escape_filenames = no
412. syslog_severity = "info"
413. permissions = 384
414. format = ""
415. reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
416. }
417. # Loaded module rlm_logintime
418. # Loading module "logintime" from file /etc/raddb/mods-enabled/logintime
419. logintime {
420. minimum_timeout = 60
421. }
422. # Loaded module rlm_mschap
423. # Loading module "mschap" from file /etc/raddb/mods-enabled/mschap
424. mschap {
425. use_mppe = yes
426. require_encryption = no
427. require_strong = no
428. with_ntdomain_hack = yes
429. passchange {
430. }
431. allow_retry = yes
432. winbind_retry_with_normalised_username = no
433. }
434. # Loading module "ntlm_auth" from file /etc/raddb/mods-enabled/ntlm_auth
435. exec ntlm_auth {
436. wait = yes
437. program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
438. shell_escape = yes
439. }
440. # Loaded module rlm_pap
441. # Loading module "pap" from file /etc/raddb/mods-enabled/pap
442. pap {
443. normalise = yes
444. }
445. # Loaded module rlm_passwd
446. # Loading module "etc_passwd" from file /etc/raddb/mods-enabled/passwd
447. passwd etc_passwd {
448. filename = "/etc/passwd"
449. format = "*User-Name:Crypt-Password:"
450. delimiter = ":"
451. ignore_nislike = no
452. ignore_empty = yes
453. allow_multiple_keys = no
454. hash_size = 100
455. }
456. # Loaded module rlm_preprocess
457. # Loading module "preprocess" from file /etc/raddb/mods-enabled/preprocess
458. preprocess {
459. huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups"
460. hints = "/etc/raddb/mods-config/preprocess/hints"
461. with_ascend_hack = no
462. ascend_channels_per_line = 23
463. with_ntdomain_hack = no
464. with_specialix_jetstream_hack = no
465. with_cisco_vsa_hack = no
466. with_alvarion_vsa_hack = no
467. }
468. # Loaded module rlm_radutmp
469. # Loading module "radutmp" from file /etc/raddb/mods-enabled/radutmp
470. radutmp {
471. filename = "/var/log/radius/radutmp"
472. username = "%{User-Name}"
473. case_sensitive = yes
474. check_with_nas = yes
475. permissions = 384
476. caller_id = yes
477. }
478. # Loaded module rlm_realm
479. # Loading module "IPASS" from file /etc/raddb/mods-enabled/realm
480. realm IPASS {
481. format = "prefix"
482. delimiter = "/"
483. ignore_default = no
484. ignore_null = no
485. }
486. # Loading module "suffix" from file /etc/raddb/mods-enabled/realm
487. realm suffix {
488. format = "suffix"
489. delimiter = "@"
490. ignore_default = no
491. ignore_null = no
492. }
493. # Loading module "bangpath" from file /etc/raddb/mods-enabled/realm
494. realm bangpath {
495. format = "prefix"
496. delimiter = "!"
497. ignore_default = no
498. ignore_null = no
499. }
500. # Loading module "realmpercent" from file /etc/raddb/mods-enabled/realm
501. realm realmpercent {
502. format = "suffix"
503. delimiter = "%"
504. ignore_default = no
505. ignore_null = no
506. }
507. # Loading module "ntdomain" from file /etc/raddb/mods-enabled/realm
508. realm ntdomain {
509. format = "prefix"
510. delimiter = "\\"
511. ignore_default = no
512. ignore_null = no
513. }
514. # Loaded module rlm_replicate
515. # Loading module "replicate" from file /etc/raddb/mods-enabled/replicate
516. # Loaded module rlm_soh
517. # Loading module "soh" from file /etc/raddb/mods-enabled/soh
518. soh {
519. dhcp = yes
520. }
521. # Loading module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp
522. radutmp sradutmp {
523. filename = "/var/log/radius/sradutmp"
524. username = "%{User-Name}"
525. case_sensitive = yes
526. check_with_nas = yes
527. permissions = 420
528. caller_id = no
529. }
530. # Loaded module rlm_unix
531. # Loading module "unix" from file /etc/raddb/mods-enabled/unix
532. unix {
533. radwtmp = "/var/log/radius/radwtmp"
534. }
535. Creating attribute Unix-Group
536. # Loaded module rlm_unpack
537. # Loading module "unpack" from file /etc/raddb/mods-enabled/unpack
538. # Loaded module rlm_utf8
539. # Loading module "utf8" from file /etc/raddb/mods-enabled/utf8
540. # Loaded module rlm_totp
541. # Loading module "totp" from file /etc/raddb/mods-enabled/totp
542. instantiate {
543. }
544. # Instantiating module "reject" from file /etc/raddb/mods-enabled/always
545. # Instantiating module "fail" from file /etc/raddb/mods-enabled/always
546. # Instantiating module "ok" from file /etc/raddb/mods-enabled/always
547. # Instantiating module "handled" from file /etc/raddb/mods-enabled/always
548. # Instantiating module "invalid" from file /etc/raddb/mods-enabled/always
549. # Instantiating module "userlock" from file /etc/raddb/mods-enabled/always
550. # Instantiating module "notfound" from file /etc/raddb/mods-enabled/always
551. # Instantiating module "noop" from file /etc/raddb/mods-enabled/always
552. # Instantiating module "updated" from file /etc/raddb/mods-enabled/always
553. # Instantiating module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter
554. reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy
555. # Instantiating module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter
556. reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy
557. # Instantiating module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter
558. reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject
559. # Instantiating module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter
560. reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge
561. # Instantiating module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter
562. reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response
563. # Instantiating module "attr_filter.coa" from file /etc/raddb/mods-enabled/attr_filter
564. reading pairlist file /etc/raddb/mods-config/attr_filter/coa
565. # Instantiating module "detail" from file /etc/raddb/mods-enabled/detail
566. # Instantiating module "auth_log" from file /etc/raddb/mods-enabled/detail.log
567. rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
568. # Instantiating module "reply_log" from file /etc/raddb/mods-enabled/detail.log
569. # Instantiating module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log
570. # Instantiating module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log
571. # Instantiating module "eap" from file /etc/raddb/mods-enabled/eap
572. # Linked to sub-module rlm_eap_md5
573. # Linked to sub-module rlm_eap_gtc
574. gtc {
575. challenge = "Password: "
576. auth_type = "PAP"
577. }
578. # Linked to sub-module rlm_eap_tls
579. tls {
580. tls = "tls-common"
581. }
582. tls-config tls-common {
583. verify_depth = 0
584. ca_path = "/etc/raddb/certs"
585. pem_file_type = yes
586. private_key_file = "/etc/raddb/certs/private-example-key.pem"
587. certificate_file = "/etc/raddb/certs/private-example-cert.pem"
588. ca_file = "/etc/raddb/certs/private-ca-cert.pem"
589. private_key_password = <<< secret >>>
590. fragment_size = 1024
591. include_length = yes
592. auto_chain = yes
593. check_crl = no
594. check_all_crl = no
595. ca_path_reload_interval = 0
596. cipher_list = "DEFAULT"
597. cipher_server_preference = no
598. reject_unknown_intermediate_ca = no
599. ecdh_curve = "prime256v1"
600. tls_max_version = "1.2"
601. tls_min_version = "1.2"
602. cache {
603. enable = yes
604. lifetime = 24
605. name = "EAP-TLS"
606. max_entries = 255
607. }
608. verify {
609. skip_if_ocsp_ok = no
610. }
611. ocsp {
612. enable = no
613. override_cert_url = yes
614. url = "http://127.0.0.1/ocsp/"
615. use_nonce = yes
616. timeout = 0
617. softfail = no
618. }
619. }
620. # Linked to sub-module rlm_eap_ttls
621. ttls {
622. tls = "tls-peap"
623. default_eap_type = "md5"
624. copy_request_to_tunnel = no
625. use_tunneled_reply = no
626. virtual_server = "inner-tunnel"
627. include_length = yes
628. require_client_cert = no
629. }
630. tls-config tls-peap {
631. verify_depth = 0
632. ca_path = "/etc/raddb/certs"
633. pem_file_type = yes
634. private_key_file = "/etc/raddb/certs/public-example-key.pem"
635. certificate_file = "/etc/raddb/certs/public-example-cert.pem"
636. ca_file = "/etc/raddb/certs/public-ca-cert.pem"
637. private_key_password = <<< secret >>>
638. fragment_size = 1024
639. include_length = yes
640. auto_chain = yes
641. check_crl = no
642. check_all_crl = no
643. ca_path_reload_interval = 0
644. cipher_list = "TLSv1.2"
645. cipher_server_preference = no
646. reject_unknown_intermediate_ca = no
647. ecdh_curve = "prime256v1"
648. tls_max_version = "1.2"
649. tls_min_version = "1.2"
650. cache {
651. enable = yes
652. lifetime = 24
653. name = "EAP-PEAP"
654. max_entries = 255
655. }
656. verify {
657. skip_if_ocsp_ok = no
658. }
659. ocsp {
660. enable = no
661. override_cert_url = yes
662. url = "http://127.0.0.1/ocsp/"
663. use_nonce = yes
664. timeout = 0
665. softfail = no
666. }
667. }
668. # Linked to sub-module rlm_eap_peap
669. peap {
670. tls = "tls-peap"
671. default_eap_type = "mschapv2"
672. copy_request_to_tunnel = no
673. use_tunneled_reply = no
674. proxy_tunneled_request_as_eap = yes
675. virtual_server = "inner-tunnel"
676. soh = no
677. require_client_cert = no
678. }
679. tls: Using cached TLS configuration from previous invocation
680. # Linked to sub-module rlm_eap_mschapv2
681. mschapv2 {
682. with_ntdomain_hack = no
683. send_error = no
684. }
685. # Instantiating module "expiration" from file /etc/raddb/mods-enabled/expiration
686. # Instantiating module "files" from file /etc/raddb/mods-enabled/files
687. reading pairlist file /etc/raddb/mods-config/files/authorize
688. reading pairlist file /etc/raddb/mods-config/files/accounting
689. reading pairlist file /etc/raddb/mods-config/files/pre-proxy
690. # Instantiating module "linelog" from file /etc/raddb/mods-enabled/linelog
691. # Instantiating module "log_accounting" from file /etc/raddb/mods-enabled/linelog
692. # Instantiating module "logintime" from file /etc/raddb/mods-enabled/logintime
693. # Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap
694. rlm_mschap (mschap): using internal authentication
695. # Instantiating module "pap" from file /etc/raddb/mods-enabled/pap
696. # Instantiating module "etc_passwd" from file /etc/raddb/mods-enabled/passwd
697. rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
698. # Instantiating module "preprocess" from file /etc/raddb/mods-enabled/preprocess
699. reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups
700. reading pairlist file /etc/raddb/mods-config/preprocess/hints
701. # Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm
702. # Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm
703. # Instantiating module "bangpath" from file /etc/raddb/mods-enabled/realm
704. # Instantiating module "realmpercent" from file /etc/raddb/mods-enabled/realm
705. # Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm
706. } # modules
707. radiusd: #### Loading Virtual Servers ####
708. server { # from file /etc/raddb/radiusd.conf
709. } # server
710. server default { # from file /etc/raddb/sites-enabled/default
711. # Loading authenticate {...}
712. Compiling Auth-Type PAP for attr Auth-Type
713. Compiling Auth-Type CHAP for attr Auth-Type
714. Compiling Auth-Type MS-CHAP for attr Auth-Type
715. # Loading authorize {...}
716. Ignoring "sql" (see raddb/mods-available/README.rst)
717. Ignoring "ldap" (see raddb/mods-available/README.rst)
718. Compiling Autz-Type New-TLS-Connection for attr Autz-Type
719. # Loading preacct {...}
720. # Loading accounting {...}
721. # Loading post-auth {...}
722. Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
723. Compiling Post-Auth-Type Challenge for attr Post-Auth-Type
724. Compiling Post-Auth-Type Client-Lost for attr Post-Auth-Type
725. } # server default
726. server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
727. # Loading authenticate {...}
728. Compiling Auth-Type PAP for attr Auth-Type
729. Compiling Auth-Type CHAP for attr Auth-Type
730. Compiling Auth-Type MS-CHAP for attr Auth-Type
731. # Loading authorize {...}
732. # Loading session {...}
733. # Loading post-auth {...}
734. # Skipping contents of 'if' as it is always 'false' -- /etc/raddb/sites-enabled/inner-tunnel:366
735. Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
736. } # server inner-tunnel
737. radiusd: #### Opening IP addresses and Ports ####
738. listen {
739. type = "auth"
740. ipaddr = *
741. port = 0
742. limit {
743. max_connections = 16
744. lifetime = 0
745. idle_timeout = 30
746. }
747. }
748. listen {
749. type = "acct"
750. ipaddr = *
751. port = 0
752. limit {
753. max_connections = 16
754. lifetime = 0
755. idle_timeout = 30
756. }
757. }
758. listen {
759. type = "auth"
760. ipv6addr = ::
761. port = 0
762. limit {
763. max_connections = 16
764. lifetime = 0
765. idle_timeout = 30
766. }
767. }
768. listen {
769. type = "acct"
770. ipv6addr = ::
771. port = 0
772. limit {
773. max_connections = 16
774. lifetime = 0
775. idle_timeout = 30
776. }
777. }
778. listen {
779. type = "auth"
780. ipaddr = 127.0.0.1
781. port = 18120
782. }
783. Listening on auth address * port 1812 bound to server default
784. Listening on acct address * port 1813 bound to server default
785. Listening on auth address :: port 1812 bound to server default
786. Listening on acct address :: port 1813 bound to server default
787. Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
788. Ready to process requests
789. (0) Received Access-Request Id 0 from 192.168.1.2:52174 to 192.168.1.2:1812 length 128
790. (0) User-Name = "johndoe"
791. (0) NAS-IP-Address = 127.0.0.1
792. (0) Calling-Station-Id = "02-00-00-00-00-01"
793. (0) Framed-MTU = 1400
794. (0) NAS-Port-Type = Wireless-802.11
795. (0) Service-Type = Framed-User
796. (0) Connect-Info = "CONNECT 11Mbps 802.11b"
797. (0) EAP-Message = 0x02c8000c016a6f686e646f65
798. (0) Message-Authenticator = 0x716f1e4b43a19bac613db78a0509acdf
799. (0) # Executing section authorize from file /etc/raddb/sites-enabled/default
800. (0) authorize {
801. (0) policy filter_username {
802. (0) if (&User-Name) {
803. (0) if (&User-Name) -> TRUE
804. (0) if (&User-Name) {
805. (0) if (&User-Name =~ / /) {
806. (0) if (&User-Name =~ / /) -> FALSE
807. (0) if (&User-Name =~ /@[^@]*@/ ) {
808. (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
809. (0) if (&User-Name =~ /\.\./ ) {
810. (0) if (&User-Name =~ /\.\./ ) -> FALSE
811. (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
812. (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
813. (0) if (&User-Name =~ /\.$/) {
814. (0) if (&User-Name =~ /\.$/) -> FALSE
815. (0) if (&User-Name =~ /@\./) {
816. (0) if (&User-Name =~ /@\./) -> FALSE
817. (0) } # if (&User-Name) = notfound
818. (0) } # policy filter_username = notfound
819. (0) [preprocess] = ok
820. (0) [chap] = noop
821. (0) [mschap] = noop
822. (0) [digest] = noop
823. (0) suffix: Checking for suffix after "@"
824. (0) suffix: No '@' in User-Name = "johndoe", looking up realm NULL
825. (0) suffix: Found realm "NULL"
826. (0) suffix: Adding Stripped-User-Name = "johndoe"
827. (0) suffix: Adding Realm = "NULL"
828. (0) suffix: Authentication realm is LOCAL
829. (0) [suffix] = ok
830. (0) eap: Peer sent EAP Response (code 2) ID 200 length 12
831. (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
832. (0) [eap] = ok
833. (0) } # authorize = ok
834. (0) Found Auth-Type = eap
835. (0) # Executing group from file /etc/raddb/sites-enabled/default
836. (0) authenticate {
837. (0) eap: Peer sent packet with method EAP Identity (1)
838. (0) eap: Calling submodule eap_tls to process data
839. (0) eap_tls: (TLS) Initiating new session
840. (0) eap_tls: (TLS) Setting verify mode to require certificate from client
841. (0) eap: Sending EAP Request (code 1) ID 201 length 6
842. (0) eap: EAP session adding &reply:State = 0xadc99705ad009a52
843. (0) [eap] = handled
844. (0) } # authenticate = handled
845. (0) Using Post-Auth-Type Challenge
846. (0) # Executing group from file /etc/raddb/sites-enabled/default
847. (0) Challenge { ... } # empty sub-section is ignored
848. (0) session-state: Saving cached attributes
849. (0) Framed-MTU = 1014
850. (0) Sent Access-Challenge Id 0 from 192.168.1.2:1812 to 192.168.1.2:52174 length 64
851. (0) EAP-Message = 0x01c900060d20
852. (0) Message-Authenticator = 0x00000000000000000000000000000000
853. (0) State = 0xadc99705ad009a527377a09714487362
854. (0) Finished request
855. Waking up in 4.9 seconds.
856. (1) Received Access-Request Id 1 from 192.168.1.2:52174 to 192.168.1.2:1812 length 336
857. (1) User-Name = "johndoe"
858. (1) NAS-IP-Address = 127.0.0.1
859. (1) Calling-Station-Id = "02-00-00-00-00-01"
860. (1) Framed-MTU = 1400
861. (1) NAS-Port-Type = Wireless-802.11
862. (1) Service-Type = Framed-User
863. (1) Connect-Info = "CONNECT 11Mbps 802.11b"
864. (1) EAP-Message = 0x02c900ca0d0016030100bf010000bb030359ecb21fa0d35dbfa8d1bb2f45ed49893fa1d416dc2f32bc6f101f33c8edd011000048c02cc030cca9cca8c0adc02bc02fc0acc023c027c00ac014c009c013009dc09d009cc09c003d003c0035002f009fccaac09f009ec09e006b006700390033c008c012000a001600ff0100004a000b000403000102000a000c000a001d0017001e001900180016000000170000000d002600240403050306030807080808090804080a0805080b08060401050106010303030102030201
865. (1) State = 0xadc99705ad009a527377a09714487362
866. (1) Message-Authenticator = 0x0755744e531aa78f1548483052e418bd
867. (1) Restoring &session-state
868. (1) &session-state:Framed-MTU = 1014
869. (1) # Executing section authorize from file /etc/raddb/sites-enabled/default
870. (1) authorize {
871. (1) policy filter_username {
872. (1) if (&User-Name) {
873. (1) if (&User-Name) -> TRUE
874. (1) if (&User-Name) {
875. (1) if (&User-Name =~ / /) {
876. (1) if (&User-Name =~ / /) -> FALSE
877. (1) if (&User-Name =~ /@[^@]*@/ ) {
878. (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
879. (1) if (&User-Name =~ /\.\./ ) {
880. (1) if (&User-Name =~ /\.\./ ) -> FALSE
881. (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
882. (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
883. (1) if (&User-Name =~ /\.$/) {
884. (1) if (&User-Name =~ /\.$/) -> FALSE
885. (1) if (&User-Name =~ /@\./) {
886. (1) if (&User-Name =~ /@\./) -> FALSE
887. (1) } # if (&User-Name) = notfound
888. (1) } # policy filter_username = notfound
889. (1) [preprocess] = ok
890. (1) [chap] = noop
891. (1) [mschap] = noop
892. (1) [digest] = noop
893. (1) suffix: Checking for suffix after "@"
894. (1) suffix: No '@' in User-Name = "johndoe", looking up realm NULL
895. (1) suffix: Found realm "NULL"
896. (1) suffix: Adding Stripped-User-Name = "johndoe"
897. (1) suffix: Adding Realm = "NULL"
898. (1) suffix: Authentication realm is LOCAL
899. (1) [suffix] = ok
900. (1) eap: Peer sent EAP Response (code 2) ID 201 length 202
901. (1) eap: No EAP Start, assuming it's an on-going EAP conversation
902. (1) [eap] = updated
903. (1) [files] = noop
904. (1) [expiration] = noop
905. (1) [logintime] = noop
906. (1) [pap] = noop
907. (1) } # authorize = updated
908. (1) Found Auth-Type = eap
909. (1) # Executing group from file /etc/raddb/sites-enabled/default
910. (1) authenticate {
911. (1) eap: Expiring EAP session with state 0xadc99705ad009a52
912. (1) eap: Finished EAP session with state 0xadc99705ad009a52
913. (1) eap: Previous EAP request found for state 0xadc99705ad009a52, released from the list
914. (1) eap: Peer sent packet with method EAP TLS (13)
915. (1) eap: Calling submodule eap_tls to process data
916. (1) eap_tls: (TLS) EAP Got final fragment (196 bytes)
917. (1) eap_tls: WARNING: (TLS) EAP Total received record fragments (196 bytes), does not equal expected expected data length (0 bytes)
918. (1) eap_tls: (TLS) EAP Done initial handshake
919. (1) eap_tls: (TLS) Handshake state - before SSL initialization
920. (1) eap_tls: (TLS) Handshake state - Server before SSL initialization
921. (1) eap_tls: (TLS) Handshake state - Server before SSL initialization
922. (1) eap_tls: (TLS) recv TLS 1.3 Handshake, ClientHello
923. (1) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read client hello
924. (1) eap_tls: (TLS) send TLS 1.2 Handshake, ServerHello
925. (1) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write server hello
926. (1) eap_tls: (TLS) send TLS 1.2 Handshake, Certificate
927. (1) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write certificate
928. (1) eap_tls: (TLS) send TLS 1.2 Handshake, ServerKeyExchange
929. (1) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write key exchange
930. (1) eap_tls: (TLS) send TLS 1.2 Handshake, CertificateRequest
931. (1) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write certificate request
932. (1) eap_tls: (TLS) send TLS 1.2 Handshake, ServerHelloDone
933. (1) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write server done
934. (1) eap_tls: (TLS) Server : Need to read more data: SSLv3/TLS write server done
935. (1) eap_tls: (TLS) In Handshake Phase
936. (1) eap: Sending EAP Request (code 1) ID 202 length 1024
937. (1) eap: EAP session adding &reply:State = 0xadc99705ac039a52
938. (1) [eap] = handled
939. (1) } # authenticate = handled
940. (1) Using Post-Auth-Type Challenge
941. (1) # Executing group from file /etc/raddb/sites-enabled/default
942. (1) Challenge { ... } # empty sub-section is ignored
943. (1) session-state: Saving cached attributes
944. (1) Framed-MTU = 1014
945. (1) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
946. (1) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
947. (1) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
948. (1) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
949. (1) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest"
950. (1) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
951. (1) Sent Access-Challenge Id 1 from 192.168.1.2:1812 to 192.168.1.2:52174 length 1090
952. (1) EAP-Message = 0x01ca04000dc000000b7c160303005d020000590303067ee0c652ddac0b3c36581c2862c0d005b2ea902db9e57ee14b4f66f2bf81e720d41eb18beb6b36aab41048756786bb360c0a3d05f2e527d890ef8adc05de6552c030000011ff01000100000b0004030001020017000016030308cf0b0008cb0008c8000477308204733082035ba00302010202145b63ae1466ba178688b06c900076a0cb80a7dbf7300d06092a864886f70d01010b05003081b2310b3009060355040613025457310f300d06035504080c0654616977616e310f300d06035504070c06546169706569312b3029060355040a0c22496e7374697475746520666f7220496e666f726d6174696f6e20496e647573747279311c301a060355040b0c13536f66747761726520546563686e6f6c6f67793113301106035504030c0a69696f746c61622e74773121301f06092a864886f70d0109011612756c7973736573406969692e6f72672e7477301e170d3233303732363036323935335a170d3238
953. (1) Message-Authenticator = 0x00000000000000000000000000000000
954. (1) State = 0xadc99705ac039a527377a09714487362
955. (1) Finished request
956. Waking up in 4.9 seconds.
957. (2) Received Access-Request Id 2 from 192.168.1.2:52174 to 192.168.1.2:1812 length 140
958. (2) User-Name = "johndoe"
959. (2) NAS-IP-Address = 127.0.0.1
960. (2) Calling-Station-Id = "02-00-00-00-00-01"
961. (2) Framed-MTU = 1400
962. (2) NAS-Port-Type = Wireless-802.11
963. (2) Service-Type = Framed-User
964. (2) Connect-Info = "CONNECT 11Mbps 802.11b"
965. (2) EAP-Message = 0x02ca00060d00
966. (2) State = 0xadc99705ac039a527377a09714487362
967. (2) Message-Authenticator = 0x6e6ed47ba90f751b499d3164c569b045
968. (2) Restoring &session-state
969. (2) &session-state:Framed-MTU = 1014
970. (2) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
971. (2) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
972. (2) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
973. (2) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
974. (2) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest"
975. (2) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
976. (2) # Executing section authorize from file /etc/raddb/sites-enabled/default
977. (2) authorize {
978. (2) policy filter_username {
979. (2) if (&User-Name) {
980. (2) if (&User-Name) -> TRUE
981. (2) if (&User-Name) {
982. (2) if (&User-Name =~ / /) {
983. (2) if (&User-Name =~ / /) -> FALSE
984. (2) if (&User-Name =~ /@[^@]*@/ ) {
985. (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
986. (2) if (&User-Name =~ /\.\./ ) {
987. (2) if (&User-Name =~ /\.\./ ) -> FALSE
988. (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
989. (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
990. (2) if (&User-Name =~ /\.$/) {
991. (2) if (&User-Name =~ /\.$/) -> FALSE
992. (2) if (&User-Name =~ /@\./) {
993. (2) if (&User-Name =~ /@\./) -> FALSE
994. (2) } # if (&User-Name) = notfound
995. (2) } # policy filter_username = notfound
996. (2) [preprocess] = ok
997. (2) [chap] = noop
998. (2) [mschap] = noop
999. (2) [digest] = noop
1000. (2) suffix: Checking for suffix after "@"
1001. (2) suffix: No '@' in User-Name = "johndoe", looking up realm NULL
1002. (2) suffix: Found realm "NULL"
1003. (2) suffix: Adding Stripped-User-Name = "johndoe"
1004. (2) suffix: Adding Realm = "NULL"
1005. (2) suffix: Authentication realm is LOCAL
1006. (2) [suffix] = ok
1007. (2) eap: Peer sent EAP Response (code 2) ID 202 length 6
1008. (2) eap: No EAP Start, assuming it's an on-going EAP conversation
1009. (2) [eap] = updated
1010. (2) [files] = noop
1011. (2) [expiration] = noop
1012. (2) [logintime] = noop
1013. (2) [pap] = noop
1014. (2) } # authorize = updated
1015. (2) Found Auth-Type = eap
1016. (2) # Executing group from file /etc/raddb/sites-enabled/default
1017. (2) authenticate {
1018. (2) eap: Expiring EAP session with state 0xadc99705ac039a52
1019. (2) eap: Finished EAP session with state 0xadc99705ac039a52
1020. (2) eap: Previous EAP request found for state 0xadc99705ac039a52, released from the list
1021. (2) eap: Peer sent packet with method EAP TLS (13)
1022. (2) eap: Calling submodule eap_tls to process data
1023. (2) eap_tls: (TLS) Peer ACKed our handshake fragment
1024. (2) eap: Sending EAP Request (code 1) ID 203 length 1024
1025. (2) eap: EAP session adding &reply:State = 0xadc99705af029a52
1026. (2) [eap] = handled
1027. (2) } # authenticate = handled
1028. (2) Using Post-Auth-Type Challenge
1029. (2) # Executing group from file /etc/raddb/sites-enabled/default
1030. (2) Challenge { ... } # empty sub-section is ignored
1031. (2) session-state: Saving cached attributes
1032. (2) Framed-MTU = 1014
1033. (2) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
1034. (2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
1035. (2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
1036. (2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
1037. (2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest"
1038. (2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
1039. (2) Sent Access-Challenge Id 2 from 192.168.1.2:1812 to 192.168.1.2:52174 length 1090
1040. (2) EAP-Message = 0x01cb04000dc000000b7c49f627fd209860035c2159b7067c74578b2ac3b00965795c55880ac6bf0046f56f81ab64956c4a0e15c09b590366649e926e6d9cbc066d92df506d7b09f4acf603a221f8a4a456b206f91333b97d97a5e8fb9b7dd415a065087a3e928ee4c50b631dc22f031b6ba93e25f7dcc85466bfdd2b20d879a8821b547ae190d591fbd98d79ddb2651785853df3fc280ab799f33ce2066e79b34132ae8e1cd82f18d5dadfabfcac4bc84c5084d6c143e13280452dcfdb20fe5edf8b60469bac58265e9718a36bf610437344323cfa5b61b6cf97b41213b4840bc86533a2fda9296d978b4f5200dbab7e38d7bf063a84c64a96b8c06400044b308204473082032fa0030201020214010bd40c3282bd9d0cd4571bb51111c87f2a757a300d06092a864886f70d01010b05003081b2310b3009060355040613025457310f300d06035504080c0654616977616e310f300d06035504070c06546169706569312b3029060355040a0c22496e73746974757465
1041. (2) Message-Authenticator = 0x00000000000000000000000000000000
1042. (2) State = 0xadc99705af029a527377a09714487362
1043. (2) Finished request
1044. Waking up in 4.9 seconds.
1045. (3) Received Access-Request Id 3 from 192.168.1.2:52174 to 192.168.1.2:1812 length 140
1046. (3) User-Name = "johndoe"
1047. (3) NAS-IP-Address = 127.0.0.1
1048. (3) Calling-Station-Id = "02-00-00-00-00-01"
1049. (3) Framed-MTU = 1400
1050. (3) NAS-Port-Type = Wireless-802.11
1051. (3) Service-Type = Framed-User
1052. (3) Connect-Info = "CONNECT 11Mbps 802.11b"
1053. (3) EAP-Message = 0x02cb00060d00
1054. (3) State = 0xadc99705af029a527377a09714487362
1055. (3) Message-Authenticator = 0xc5b657efd98c5f49aeffda8059822157
1056. (3) Restoring &session-state
1057. (3) &session-state:Framed-MTU = 1014
1058. (3) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
1059. (3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
1060. (3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
1061. (3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
1062. (3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest"
1063. (3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
1064. (3) # Executing section authorize from file /etc/raddb/sites-enabled/default
1065. (3) authorize {
1066. (3) policy filter_username {
1067. (3) if (&User-Name) {
1068. (3) if (&User-Name) -> TRUE
1069. (3) if (&User-Name) {
1070. (3) if (&User-Name =~ / /) {
1071. (3) if (&User-Name =~ / /) -> FALSE
1072. (3) if (&User-Name =~ /@[^@]*@/ ) {
1073. (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
1074. (3) if (&User-Name =~ /\.\./ ) {
1075. (3) if (&User-Name =~ /\.\./ ) -> FALSE
1076. (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
1077. (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
1078. (3) if (&User-Name =~ /\.$/) {
1079. (3) if (&User-Name =~ /\.$/) -> FALSE
1080. (3) if (&User-Name =~ /@\./) {
1081. (3) if (&User-Name =~ /@\./) -> FALSE
1082. (3) } # if (&User-Name) = notfound
1083. (3) } # policy filter_username = notfound
1084. (3) [preprocess] = ok
1085. (3) [chap] = noop
1086. (3) [mschap] = noop
1087. (3) [digest] = noop
1088. (3) suffix: Checking for suffix after "@"
1089. (3) suffix: No '@' in User-Name = "johndoe", looking up realm NULL
1090. (3) suffix: Found realm "NULL"
1091. (3) suffix: Adding Stripped-User-Name = "johndoe"
1092. (3) suffix: Adding Realm = "NULL"
1093. (3) suffix: Authentication realm is LOCAL
1094. (3) [suffix] = ok
1095. (3) eap: Peer sent EAP Response (code 2) ID 203 length 6
1096. (3) eap: No EAP Start, assuming it's an on-going EAP conversation
1097. (3) [eap] = updated
1098. (3) [files] = noop
1099. (3) [expiration] = noop
1100. (3) [logintime] = noop
1101. (3) [pap] = noop
1102. (3) } # authorize = updated
1103. (3) Found Auth-Type = eap
1104. (3) # Executing group from file /etc/raddb/sites-enabled/default
1105. (3) authenticate {
1106. (3) eap: Expiring EAP session with state 0xadc99705af029a52
1107. (3) eap: Finished EAP session with state 0xadc99705af029a52
1108. (3) eap: Previous EAP request found for state 0xadc99705af029a52, released from the list
1109. (3) eap: Peer sent packet with method EAP TLS (13)
1110. (3) eap: Calling submodule eap_tls to process data
1111. (3) eap_tls: (TLS) Peer ACKed our handshake fragment
1112. (3) eap: Sending EAP Request (code 1) ID 204 length 922
1113. (3) eap: EAP session adding &reply:State = 0xadc99705ae059a52
1114. (3) [eap] = handled
1115. (3) } # authenticate = handled
1116. (3) Using Post-Auth-Type Challenge
1117. (3) # Executing group from file /etc/raddb/sites-enabled/default
1118. (3) Challenge { ... } # empty sub-section is ignored
1119. (3) session-state: Saving cached attributes
1120. (3) Framed-MTU = 1014
1121. (3) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
1122. (3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
1123. (3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
1124. (3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
1125. (3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest"
1126. (3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
1127. (3) Sent Access-Challenge Id 3 from 192.168.1.2:1812 to 192.168.1.2:52174 length 986
1128. (3) EAP-Message = 0x01cc039a0d8000000b7c9626baad301f0603551d23041830168014f57f4877cfd8ae5499802a4670377aa29626baad300f0603551d130101ff040530030101ff300d06092a864886f70d01010b050003820101003f64b251d371e5417064df308d0f0b5b6808f9b90561e7c9c7c65f822b49aab8298c79556ac3ceae34726ef7f64e15aeb5d3e60922c375d447c70896bab8707de6463a3a56b94814d9eaff92cb1a24ca5eb97b16ef40c600dec8941be29a2800dc1b2e4871fd0ce1649822dfdc693045901e38253e25eaf979f701d1efcb1cd33447347aeda95650e42ce4d6fb5fa09caa80be23486dcff2017de80756b6d2db0459db54e19eb69d3648d2437c93d9a63daf45a6e6dfd6c66955cbb5726d44566f95624892dc9388d006c3b34a7212d1f7de5cb771759c51d012bdee4074a312d153bec489bd3efe38382842b295e79f2d8b5020efc7dcf9e670a95d9e32d917160303014d0c00014903001741041c5c9681c57a77b137c489e64075a464a3402f6bc6
1129. (3) Message-Authenticator = 0x00000000000000000000000000000000
1130. (3) State = 0xadc99705ae059a527377a09714487362
1131. (3) Finished request
1132. Waking up in 4.9 seconds.
1133. (4) Received Access-Request Id 4 from 192.168.1.2:52174 to 192.168.1.2:1812 length 1552
1134. (4) User-Name = "johndoe"
1135. (4) NAS-IP-Address = 127.0.0.1
1136. (4) Calling-Station-Id = "02-00-00-00-00-01"
1137. (4) Framed-MTU = 1400
1138. (4) NAS-Port-Type = Wireless-802.11
1139. (4) Service-Type = Framed-User
1140. (4) Connect-Info = "CONNECT 11Mbps 802.11b"
1141. (4) EAP-Message = 0x02cc05800dc0000009af160303081f0b00081b0008180003c7308203c3308202ab0214616e19f1f8c134e8ee67f90b13c0b340a37eab4f300d06092a864886f70d01010b05003081b2310b3009060355040613025457310f300d06035504080c0654616977616e310f300d06035504070c06546169706569312b3029060355040a0c22496e7374697475746520666f7220496e666f726d6174696f6e20496e647573747279311c301a060355040b0c13536f66747761726520546563686e6f6c6f67793113301106035504030c0a69696f746c61622e74773121301f06092a864886f70d0109011612756c7973736573406969692e6f72672e7477301e170d3233303931383032343631375a170d3333303931353032343631375a308188310b3009060355040613025457310f300d06035504080c0654616977616e310f300d06035504070c065461697065693110300e060355040a0c077375626a6563743110300e060355040b0c077375626a6563743110300e0603
1142. (4) State = 0xadc99705ae059a527377a09714487362
1143. (4) Message-Authenticator = 0x68a3f5e2902821107caf75f3e8db20c0
1144. (4) Restoring &session-state
1145. (4) &session-state:Framed-MTU = 1014
1146. (4) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
1147. (4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
1148. (4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
1149. (4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
1150. (4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest"
1151. (4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
1152. (4) # Executing section authorize from file /etc/raddb/sites-enabled/default
1153. (4) authorize {
1154. (4) policy filter_username {
1155. (4) if (&User-Name) {
1156. (4) if (&User-Name) -> TRUE
1157. (4) if (&User-Name) {
1158. (4) if (&User-Name =~ / /) {
1159. (4) if (&User-Name =~ / /) -> FALSE
1160. (4) if (&User-Name =~ /@[^@]*@/ ) {
1161. (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
1162. (4) if (&User-Name =~ /\.\./ ) {
1163. (4) if (&User-Name =~ /\.\./ ) -> FALSE
1164. (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
1165. (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
1166. (4) if (&User-Name =~ /\.$/) {
1167. (4) if (&User-Name =~ /\.$/) -> FALSE
1168. (4) if (&User-Name =~ /@\./) {
1169. (4) if (&User-Name =~ /@\./) -> FALSE
1170. (4) } # if (&User-Name) = notfound
1171. (4) } # policy filter_username = notfound
1172. (4) [preprocess] = ok
1173. (4) [chap] = noop
1174. (4) [mschap] = noop
1175. (4) [digest] = noop
1176. (4) suffix: Checking for suffix after "@"
1177. (4) suffix: No '@' in User-Name = "johndoe", looking up realm NULL
1178. (4) suffix: Found realm "NULL"
1179. (4) suffix: Adding Stripped-User-Name = "johndoe"
1180. (4) suffix: Adding Realm = "NULL"
1181. (4) suffix: Authentication realm is LOCAL
1182. (4) [suffix] = ok
1183. (4) eap: Peer sent EAP Response (code 2) ID 204 length 1408
1184. (4) eap: No EAP Start, assuming it's an on-going EAP conversation
1185. (4) [eap] = updated
1186. (4) [files] = noop
1187. (4) [expiration] = noop
1188. (4) [logintime] = noop
1189. (4) [pap] = noop
1190. (4) } # authorize = updated
1191. (4) Found Auth-Type = eap
1192. (4) # Executing group from file /etc/raddb/sites-enabled/default
1193. (4) authenticate {
1194. (4) eap: Expiring EAP session with state 0xadc99705ae059a52
1195. (4) eap: Finished EAP session with state 0xadc99705ae059a52
1196. (4) eap: Previous EAP request found for state 0xadc99705ae059a52, released from the list
1197. (4) eap: Peer sent packet with method EAP TLS (13)
1198. (4) eap: Calling submodule eap_tls to process data
1199. (4) eap_tls: (TLS) EAP Peer says that the final record size will be 2479 bytes
1200. (4) eap_tls: (TLS) EAP Expecting 2 fragments
1201. (4) eap_tls: (TLS) EAP Got first TLS fragment (1398 bytes). Peer says more fragments will follow
1202. (4) eap_tls: (TLS) EAP ACKing fragment, the peer should send more data.
1203. (4) eap: Sending EAP Request (code 1) ID 205 length 6
1204. (4) eap: EAP session adding &reply:State = 0xadc99705a9049a52
1205. (4) [eap] = handled
1206. (4) } # authenticate = handled
1207. (4) Using Post-Auth-Type Challenge
1208. (4) # Executing group from file /etc/raddb/sites-enabled/default
1209. (4) Challenge { ... } # empty sub-section is ignored
1210. (4) session-state: Saving cached attributes
1211. (4) Framed-MTU = 1014
1212. (4) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
1213. (4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
1214. (4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
1215. (4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
1216. (4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest"
1217. (4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
1218. (4) Sent Access-Challenge Id 4 from 192.168.1.2:1812 to 192.168.1.2:52174 length 64
1219. (4) EAP-Message = 0x01cd00060d00
1220. (4) Message-Authenticator = 0x00000000000000000000000000000000
1221. (4) State = 0xadc99705a9049a527377a09714487362
1222. (4) Finished request
1223. Waking up in 4.9 seconds.
1224. (5) Received Access-Request Id 5 from 192.168.1.2:52174 to 192.168.1.2:1812 length 1229
1225. (5) User-Name = "johndoe"
1226. (5) NAS-IP-Address = 127.0.0.1
1227. (5) Calling-Station-Id = "02-00-00-00-00-01"
1228. (5) Framed-MTU = 1400
1229. (5) NAS-Port-Type = Wireless-802.11
1230. (5) Service-Type = Framed-User
1231. (5) Connect-Info = "CONNECT 11Mbps 802.11b"
1232. (5) EAP-Message = 0x02cd043f0d0006092a864886f70d0109011612756c7973736573406969692e6f72672e747730820122300d06092a864886f70d01010105000382010f003082010a0282010100caeea7597e21c3b1a8f0f7935c326d96039e9c3ad177d61e3520b12129f765fb5c542a9c0df3abfbd01be837a89e5e36941b864a5d7cb4c9cd17ad868e0d9a166e1fc5ff1f6a140b691533fdcf75b76dc47a31f4b92df7c0c6a76cf42e6fbaab70659b14ff0f21fbdb02d409422dc7732ee4323039034702dc897c792346c62f63bdb052d9398811855b3da211b692a3a2f2e21f11b2851bb21198d42438e59b9e4e959195b68d24587f9e1c4cd0106f4541657467028a7466fc3d75a782c558a16b266eb6f01c31ef44bcd80d19dd74f6742e86a6b020898768a41ee82d550172fc2b3a466c90babe6a7c64fc553fac60160fcca516f12fcce791d82b73d8510203010001a3533051301d0603551d0e04160414f57f4877cfd8ae5499802a4670377aa29626baad301f0603551d230418
1233. (5) State = 0xadc99705a9049a527377a09714487362
1234. (5) Message-Authenticator = 0xc687d62e20581d3dcb6a48f2b9e51a3a
1235. (5) Restoring &session-state
1236. (5) &session-state:Framed-MTU = 1014
1237. (5) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
1238. (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
1239. (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
1240. (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
1241. (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest"
1242. (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
1243. (5) # Executing section authorize from file /etc/raddb/sites-enabled/default
1244. (5) authorize {
1245. (5) policy filter_username {
1246. (5) if (&User-Name) {
1247. (5) if (&User-Name) -> TRUE
1248. (5) if (&User-Name) {
1249. (5) if (&User-Name =~ / /) {
1250. (5) if (&User-Name =~ / /) -> FALSE
1251. (5) if (&User-Name =~ /@[^@]*@/ ) {
1252. (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
1253. (5) if (&User-Name =~ /\.\./ ) {
1254. (5) if (&User-Name =~ /\.\./ ) -> FALSE
1255. (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
1256. (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
1257. (5) if (&User-Name =~ /\.$/) {
1258. (5) if (&User-Name =~ /\.$/) -> FALSE
1259. (5) if (&User-Name =~ /@\./) {
1260. (5) if (&User-Name =~ /@\./) -> FALSE
1261. (5) } # if (&User-Name) = notfound
1262. (5) } # policy filter_username = notfound
1263. (5) [preprocess] = ok
1264. (5) [chap] = noop
1265. (5) [mschap] = noop
1266. (5) [digest] = noop
1267. (5) suffix: Checking for suffix after "@"
1268. (5) suffix: No '@' in User-Name = "johndoe", looking up realm NULL
1269. (5) suffix: Found realm "NULL"
1270. (5) suffix: Adding Stripped-User-Name = "johndoe"
1271. (5) suffix: Adding Realm = "NULL"
1272. (5) suffix: Authentication realm is LOCAL
1273. (5) [suffix] = ok
1274. (5) eap: Peer sent EAP Response (code 2) ID 205 length 1087
1275. (5) eap: No EAP Start, assuming it's an on-going EAP conversation
1276. (5) [eap] = updated
1277. (5) [files] = noop
1278. (5) [expiration] = noop
1279. (5) [logintime] = noop
1280. (5) [pap] = noop
1281. (5) } # authorize = updated
1282. (5) Found Auth-Type = eap
1283. (5) # Executing group from file /etc/raddb/sites-enabled/default
1284. (5) authenticate {
1285. (5) eap: Expiring EAP session with state 0xadc99705a9049a52
1286. (5) eap: Finished EAP session with state 0xadc99705a9049a52
1287. (5) eap: Previous EAP request found for state 0xadc99705a9049a52, released from the list
1288. (5) eap: Peer sent packet with method EAP TLS (13)
1289. (5) eap: Calling submodule eap_tls to process data
1290. (5) eap_tls: (TLS) EAP Got final fragment (1081 bytes)
1291. (5) eap_tls: (TLS) EAP Done initial handshake
1292. (5) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write server done
1293. (5) eap_tls: (TLS) recv TLS 1.2 Handshake, Certificate
1294. (5) eap_tls: (TLS) Creating attributes from server certificate
1295. (5) eap_tls: TLS-Cert-Serial := "010bd40c3282bd9d0cd4571bb51111c87f2a757a"
1296. (5) eap_tls: TLS-Cert-Expiration := "280724055333Z"
1297. (5) eap_tls: TLS-Cert-Valid-Since := "230726055333Z"
1298. (5) eap_tls: TLS-Cert-Subject := "/C=TW/ST=Taiwan/L=Taipei/O=Example Inc/OU=Software Technology/CN=example.com/[email protected]"
1299. (5) eap_tls: TLS-Cert-Issuer := "/C=TW/ST=Taiwan/L=Taipei/O=Example Inc/OU=Software Technology/CN=example.com/[email protected]"
1300. (5) eap_tls: TLS-Cert-Common-Name := "example.com"
1301. (5) eap_tls: (TLS) Creating attributes from client certificate
1302. (5) eap_tls: TLS-Client-Cert-Serial := "616e19f1f8c134e8ee67f90b13c0b340a37eab4f"
1303. (5) eap_tls: TLS-Client-Cert-Expiration := "330915024617Z"
1304. (5) eap_tls: TLS-Client-Cert-Valid-Since := "230918024617Z"
1305. (5) eap_tls: TLS-Client-Cert-Subject := "/C=TW/ST=Taiwan/L=Taipei/O=subject/OU=subject/CN=johndoe/[email protected]"
1306. (5) eap_tls: TLS-Client-Cert-Issuer := "/C=TW/ST=Taiwan/L=Taipei/O=Example Inc/OU=Software Technology/CN=example.com/[email protected]"
1307. (5) eap_tls: TLS-Client-Cert-Common-Name := "johndoe"
1308. Certificate chain - 1 cert(s) untrusted
1309. (TLS) untrusted certificate with depth [1] subject name /C=TW/ST=Taiwan/L=Taipei/O=Example Inc/OU=Software Technology/CN=example.com/[email protected]
1310. (TLS) untrusted certificate with depth [0] subject name /C=TW/ST=Taiwan/L=Taipei/O=subject/OU=subject/CN=johndoe/[email protected]
1311. (5) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read client certificate
1312. (5) eap_tls: (TLS) recv TLS 1.2 Handshake, ClientKeyExchange
1313. (5) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read client key exchange
1314. (5) eap_tls: (TLS) recv TLS 1.2 Handshake, CertificateVerify
1315. (5) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read certificate verify
1316. (5) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read change cipher spec
1317. (5) eap_tls: (TLS) recv TLS 1.2 Handshake, Finished
1318. (5) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read finished
1319. (5) eap_tls: (TLS) send TLS 1.2 ChangeCipherSpec
1320. (5) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write change cipher spec
1321. (5) eap_tls: (TLS) send TLS 1.2 Handshake, Finished
1322. (5) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write finished
1323. (5) eap_tls: (TLS) Handshake state - SSL negotiation finished successfully
1324. (5) eap_tls: (TLS) Connection Established
1325. (5) eap_tls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
1326. (5) eap_tls: TLS-Session-Version = "TLS 1.2"
1327. (5) eap: Sending EAP Request (code 1) ID 206 length 61
1328. (5) eap: EAP session adding &reply:State = 0xadc99705a8079a52
1329. (5) [eap] = handled
1330. (5) } # authenticate = handled
1331. (5) Using Post-Auth-Type Challenge
1332. (5) # Executing group from file /etc/raddb/sites-enabled/default
1333. (5) Challenge { ... } # empty sub-section is ignored
1334. (5) session-state: Saving cached attributes
1335. (5) Framed-MTU = 1014
1336. (5) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
1337. (5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
1338. (5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
1339. (5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
1340. (5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest"
1341. (5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
1342. (5) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Certificate"
1343. (5) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange"
1344. (5) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, CertificateVerify"
1345. (5) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished"
1346. (5) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec"
1347. (5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished"
1348. (5) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
1349. (5) TLS-Session-Version = "TLS 1.2"
1350. (5) Sent Access-Challenge Id 5 from 192.168.1.2:1812 to 192.168.1.2:52174 length 119
1351. (5) EAP-Message = 0x01ce003d0d80000000331403030001011603030028222bafcaeae4adb512435e98c0bb2d6fa46944a56d4ecb600229341afd094dd362332bef02b05e48
1352. (5) Message-Authenticator = 0x00000000000000000000000000000000
1353. (5) State = 0xadc99705a8079a527377a09714487362
1354. (5) Finished request
1355. Waking up in 4.9 seconds.
1356. (6) Received Access-Request Id 6 from 192.168.1.2:52174 to 192.168.1.2:1812 length 140
1357. (6) User-Name = "johndoe"
1358. (6) NAS-IP-Address = 127.0.0.1
1359. (6) Calling-Station-Id = "02-00-00-00-00-01"
1360. (6) Framed-MTU = 1400
1361. (6) NAS-Port-Type = Wireless-802.11
1362. (6) Service-Type = Framed-User
1363. (6) Connect-Info = "CONNECT 11Mbps 802.11b"
1364. (6) EAP-Message = 0x02ce00060d00
1365. (6) State = 0xadc99705a8079a527377a09714487362
1366. (6) Message-Authenticator = 0xed92c109f69be26000bf3cfd482125f3
1367. (6) Restoring &session-state
1368. (6) &session-state:Framed-MTU = 1014
1369. (6) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
1370. (6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
1371. (6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
1372. (6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
1373. (6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest"
1374. (6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
1375. (6) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Certificate"
1376. (6) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange"
1377. (6) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, CertificateVerify"
1378. (6) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished"
1379. (6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec"
1380. (6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished"
1381. (6) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
1382. (6) &session-state:TLS-Session-Version = "TLS 1.2"
1383. (6) # Executing section authorize from file /etc/raddb/sites-enabled/default
1384. (6) authorize {
1385. (6) policy filter_username {
1386. (6) if (&User-Name) {
1387. (6) if (&User-Name) -> TRUE
1388. (6) if (&User-Name) {
1389. (6) if (&User-Name =~ / /) {
1390. (6) if (&User-Name =~ / /) -> FALSE
1391. (6) if (&User-Name =~ /@[^@]*@/ ) {
1392. (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
1393. (6) if (&User-Name =~ /\.\./ ) {
1394. (6) if (&User-Name =~ /\.\./ ) -> FALSE
1395. (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
1396. (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
1397. (6) if (&User-Name =~ /\.$/) {
1398. (6) if (&User-Name =~ /\.$/) -> FALSE
1399. (6) if (&User-Name =~ /@\./) {
1400. (6) if (&User-Name =~ /@\./) -> FALSE
1401. (6) } # if (&User-Name) = notfound
1402. (6) } # policy filter_username = notfound
1403. (6) [preprocess] = ok
1404. (6) [chap] = noop
1405. (6) [mschap] = noop
1406. (6) [digest] = noop
1407. (6) suffix: Checking for suffix after "@"
1408. (6) suffix: No '@' in User-Name = "johndoe", looking up realm NULL
1409. (6) suffix: Found realm "NULL"
1410. (6) suffix: Adding Stripped-User-Name = "johndoe"
1411. (6) suffix: Adding Realm = "NULL"
1412. (6) suffix: Authentication realm is LOCAL
1413. (6) [suffix] = ok
1414. (6) eap: Peer sent EAP Response (code 2) ID 206 length 6
1415. (6) eap: No EAP Start, assuming it's an on-going EAP conversation
1416. (6) [eap] = updated
1417. (6) [files] = noop
1418. (6) [expiration] = noop
1419. (6) [logintime] = noop
1420. (6) [pap] = noop
1421. (6) } # authorize = updated
1422. (6) Found Auth-Type = eap
1423. (6) # Executing group from file /etc/raddb/sites-enabled/default
1424. (6) authenticate {
1425. (6) eap: Expiring EAP session with state 0xadc99705a8079a52
1426. (6) eap: Finished EAP session with state 0xadc99705a8079a52
1427. (6) eap: Previous EAP request found for state 0xadc99705a8079a52, released from the list
1428. (6) eap: Peer sent packet with method EAP TLS (13)
1429. (6) eap: Calling submodule eap_tls to process data
1430. (6) eap_tls: (TLS) Peer ACKed our handshake fragment. handshake is finished
1431. (6) eap_tls: (TLS) cache - Setting up attributes for session resumption
1432. (6) eap_tls: caching Stripped-User-Name = "johndoe"
1433. (6) eap_tls: caching EAP-Type = TLS
1434. (6) eap_tls: caching TLS-Cert-Serial := "010bd40c3282bd9d0cd4571bb51111c87f2a757a"
1435. (6) eap_tls: caching TLS-Cert-Expiration := "280724055333Z"
1436. (6) eap_tls: caching TLS-Cert-Valid-Since := "230726055333Z"
1437. (6) eap_tls: caching TLS-Cert-Subject := "/C=TW/ST=Taiwan/L=Taipei/O=Example Inc/OU=Software Technology/CN=example.com/[email protected]"
1438. (6) eap_tls: caching TLS-Cert-Issuer := "/C=TW/ST=Taiwan/L=Taipei/O=Example Inc/OU=Software Technology/CN=example.com/[email protected]"
1439. (6) eap_tls: caching TLS-Cert-Common-Name := "example.com"
1440. (6) eap_tls: caching TLS-Client-Cert-Serial := "616e19f1f8c134e8ee67f90b13c0b340a37eab4f"
1441. (6) eap_tls: caching TLS-Client-Cert-Expiration := "330915024617Z"
1442. (6) eap_tls: caching TLS-Client-Cert-Valid-Since := "230918024617Z"
1443. (6) eap_tls: caching TLS-Client-Cert-Subject := "/C=TW/ST=Taiwan/L=Taipei/O=subject/OU=subject/CN=johndoe/[email protected]"
1444. (6) eap_tls: caching TLS-Client-Cert-Issuer := "/C=TW/ST=Taiwan/L=Taipei/O=Example Inc/OU=Software Technology/CN=example.com/[email protected]"
1445. (6) eap_tls: caching TLS-Client-Cert-Common-Name := "johndoe"
1446. (6) eap_tls: Failed to find 'persist_dir' in TLS configuration. Session will not be cached on disk.
1447. (6) eap: Sending EAP Success (code 3) ID 206 length 4
1448. (6) eap: Freeing handler
1449. (6) [eap] = ok
1450. (6) } # authenticate = ok
1451. (6) # Executing section post-auth from file /etc/raddb/sites-enabled/default
1452. (6) post-auth {
1453. (6) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
1454. (6) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE
1455. (6) update {
1456. (6) &reply::Framed-MTU += &session-state:Framed-MTU[*] -> 1014
1457. (6) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.3 Handshake, ClientHello'
1458. (6) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, ServerHello'
1459. (6) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, Certificate'
1460. (6) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, ServerKeyExchange'
1461. (6) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, CertificateRequest'
1462. (6) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, ServerHelloDone'
1463. (6) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.2 Handshake, Certificate'
1464. (6) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.2 Handshake, ClientKeyExchange'
1465. (6) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.2 Handshake, CertificateVerify'
1466. (6) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.2 Handshake, Finished'
1467. (6) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 ChangeCipherSpec'
1468. (6) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, Finished'
1469. (6) &reply::TLS-Session-Cipher-Suite += &session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES256-GCM-SHA384'
1470. (6) &reply::TLS-Session-Version += &session-state:TLS-Session-Version[*] -> 'TLS 1.2'
1471. (6) } # update = noop
1472. (6) [exec] = noop
1473. (6) policy remove_reply_message_if_eap {
1474. (6) if (&reply:EAP-Message && &reply:Reply-Message) {
1475. (6) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
1476. (6) else {
1477. (6) [noop] = noop
1478. (6) } # else = noop
1479. (6) } # policy remove_reply_message_if_eap = noop
1480. (6) if (EAP-Key-Name && &reply:EAP-Session-Id) {
1481. (6) if (EAP-Key-Name && &reply:EAP-Session-Id) -> FALSE
1482. (6) } # post-auth = noop
1483. (6) Login OK: [johndoe/<via Auth-Type = eap>] (from client private-network-2 port 0 cli 02-00-00-00-00-01)
1484. (6) Sent Access-Accept Id 6 from 192.168.1.2:1812 to 192.168.1.2:52174 length 175
1485. (6) MS-MPPE-Recv-Key = 0xe255f998abb9b8f85bfe9056985176dab99462df283afa063aa6cf49ba636a45
1486. (6) MS-MPPE-Send-Key = 0xdf89b8bd766edad9130d65e1ab085dee73c586f426de388bdd9716543f30d7a4
1487. (6) EAP-Message = 0x03ce0004
1488. (6) Message-Authenticator = 0x00000000000000000000000000000000
1489. (6) User-Name = "johndoe"
1490. (6) Framed-MTU += 1014
1491. (6) Finished request
1492. Waking up in 4.9 seconds.
1493. (0) Cleaning up request packet ID 0 with timestamp +16 due to cleanup_delay was reached
1494. (1) Cleaning up request packet ID 1 with timestamp +16 due to cleanup_delay was reached
1495. (2) Cleaning up request packet ID 2 with timestamp +16 due to cleanup_delay was reached
1496. (3) Cleaning up request packet ID 3 with timestamp +16 due to cleanup_delay was reached
1497. (4) Cleaning up request packet ID 4 with timestamp +16 due to cleanup_delay was reached
1498. (5) Cleaning up request packet ID 5 with timestamp +16 due to cleanup_delay was reached
1499. (6) Cleaning up request packet ID 6 with timestamp +16 due to cleanup_delay was reached
1500. Ready to process requests
1501.