Skip to content

Instantly share code, notes, and snippets.

@olivierbeytrison

olivierbeytrison/gist:912b9aa8e0ebc3cc0385 Secret

Created July 18, 2013 13:47
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save olivierbeytrison/912b9aa8e0ebc3cc0385 to your computer and use it in GitHub Desktop.
Save olivierbeytrison/912b9aa8e0ebc3cc0385 to your computer and use it in GitHub Desktop.
Download ZIP
eap-peap/mschapv2 auth
Raw
gistfile1.txt
root@hefrrad03:~# radiusd -X
radiusd: FreeRADIUS Version 3.0.0, for host x86_64-unknown-linux-gnu, built on Jul 17 2013 at 16:21:28
Copyright (C) 1999-2013 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
Starting - reading configuration files ...
including dictionary file /srv/freeradius/etc/raddb/dictionary
including configuration file /srv/freeradius/etc/raddb/radiusd.conf
including files in directory /srv/freeradius/etc/raddb/local.d/
including configuration file /srv/freeradius/etc/raddb/local.d/example
including configuration file /srv/freeradius/etc/raddb/local.d/eduroam.conf
including configuration file /srv/freeradius/etc/raddb/proxy.conf
including configuration file /srv/freeradius/etc/raddb/clients.conf
including files in directory /srv/freeradius/etc/raddb/mods-enabled/
including configuration file /srv/freeradius/etc/raddb/mods-enabled/pap
including configuration file /srv/freeradius/etc/raddb/mods-enabled/mschap
including configuration file /srv/freeradius/etc/raddb/mods-enabled/exec
including configuration file /srv/freeradius/etc/raddb/mods-enabled/expiration
including configuration file /srv/freeradius/etc/raddb/mods-enabled/ntlm_auth
including configuration file /srv/freeradius/etc/raddb/mods-enabled/radutmp
including configuration file /srv/freeradius/etc/raddb/mods-enabled/chap
including configuration file /srv/freeradius/etc/raddb/mods-enabled/linelog
including configuration file /srv/freeradius/etc/raddb/mods-enabled/preprocess
including configuration file /srv/freeradius/etc/raddb/mods-enabled/dynamic_clients
including configuration file /srv/freeradius/etc/raddb/mods-enabled/replicate
including configuration file /srv/freeradius/etc/raddb/mods-enabled/digest
including configuration file /srv/freeradius/etc/raddb/mods-enabled/unix
including configuration file /srv/freeradius/etc/raddb/mods-enabled/utf8
including configuration file /srv/freeradius/etc/raddb/mods-enabled/attr_filter
including configuration file /srv/freeradius/etc/raddb/mods-enabled/passwd
including configuration file /srv/freeradius/etc/raddb/mods-enabled/cache_eap
including configuration file /srv/freeradius/etc/raddb/mods-enabled/detail.log
including configuration file /srv/freeradius/etc/raddb/mods-enabled/sradutmp
including configuration file /srv/freeradius/etc/raddb/mods-enabled/realm
including configuration file /srv/freeradius/etc/raddb/mods-enabled/logintime
including configuration file /srv/freeradius/etc/raddb/mods-enabled/expr
including configuration file /srv/freeradius/etc/raddb/mods-enabled/files
including configuration file /srv/freeradius/etc/raddb/mods-enabled/echo
including configuration file /srv/freeradius/etc/raddb/mods-enabled/ldap
including configuration file /srv/freeradius/etc/raddb/mods-enabled/detail
including configuration file /srv/freeradius/etc/raddb/mods-enabled/always
including configuration file /srv/freeradius/etc/raddb/mods-enabled/dhcp
including configuration file /srv/freeradius/etc/raddb/mods-enabled/soh
including configuration file /srv/freeradius/etc/raddb/mods-enabled/eap
including files in directory /srv/freeradius/etc/raddb/policy.d/
including configuration file /srv/freeradius/etc/raddb/policy.d/cui
including configuration file /srv/freeradius/etc/raddb/policy.d/filter
including configuration file /srv/freeradius/etc/raddb/policy.d/control
including configuration file /srv/freeradius/etc/raddb/policy.d/canonicalization
including configuration file /srv/freeradius/etc/raddb/policy.d/wireless-policy
including configuration file /srv/freeradius/etc/raddb/policy.d/accounting
including configuration file /srv/freeradius/etc/raddb/policy.d/operator-name
including configuration file /srv/freeradius/etc/raddb/policy.d/dhcp
including configuration file /srv/freeradius/etc/raddb/policy.d/eap
including files in directory /srv/freeradius/etc/raddb/sites-enabled/
including configuration file /srv/freeradius/etc/raddb/sites-enabled/hefr
including configuration file /srv/freeradius/etc/raddb/sites-enabled/default
including configuration file /srv/freeradius/etc/raddb/sites-enabled/secure-hefr-inner-tunnel
including configuration file /srv/freeradius/etc/raddb/sites-enabled/inner-tunnel
main {
security {
allow_core_dumps = no
}
}
main {
name = "radiusd"
prefix = "/srv/freeradius"
localstatedir = "/srv/freeradius/var"
sbindir = "/srv/freeradius/sbin"
logdir = "/srv/freeradius/var/log"
run_dir = "/srv/freeradius/var/run/radiusd"
libdir = "/srv/freeradius/lib"
radacctdir = "/srv/freeradius/var/log/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/srv/freeradius/var/run/radiusd/radiusd.pid"
checkrad = "/srv/freeradius/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
home_server eduroam-rad1.hes-so.ch {
ipaddr = 000.00.240.20
port = 1812
type = "auth+acct"
proto = "udp"
secret = "asdfafddsaf"
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
revive_interval = 60
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
}
home_server eduroam-rad2.hes-so.ch {
ipaddr = 000.00.240.21
port = 1812
type = "auth+acct"
proto = "udp"
secret = "adsfsadfasdf"
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
revive_interval = 60
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
}
realm SOFR {
nostrip
}
home_server_pool EDUROAM-HESSO {
type = fail-over
home_server = eduroam-rad1.hes-so.ch
home_server = eduroam-rad2.hes-so.ch
}
realm hefr.ch {
pool = EDUROAM-HESSO
nostrip
}
realm hes-so.ch {
pool = EDUROAM-HESSO
nostrip
}
realm LOCAL {
nostrip
}
realm NULL {
nostrip
}
realm DEFAULT {
pool = EDUROAM-HESSO
nostrip
}
radiusd: #### Loading Clients ####
client eduroam-radX.hes-so.ch {
ipaddr = 000.00.240.20
netmask = 31
require_message_authenticator = yes
secret = "adsfadfdasfsaf"
shortname = "eduroam-hesso"
nas_type = "other"
virtual_server = "eduroam"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 127.0.0.1 {
ipaddr = 127.0.0.1
netmask = 32
require_message_authenticator = yes
secret = "asdfadsfsafdsaf"
shortname = "loopback"
nas_type = "other"
virtual_server = "eduroam"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client hefr-wlc {
ipaddr = 000.00.157.2
netmask = 23
require_message_authenticator = yes
secret = "adsfadsfasdfsaf"
shortname = "hefr-wlc"
nas_type = "other"
virtual_server = "eduroam"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
radiusd: #### Instantiating modules ####
instantiate {
}
modules {
# Loaded module rlm_pap
# Instantiating module "pap" from file /srv/freeradius/etc/raddb/mods-enabled/pap
pap {
auto_header = no
normalise = yes
}
# Loaded module rlm_mschap
# Instantiating module "mschap" from file /srv/freeradius/etc/raddb/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
}
# Loaded module rlm_exec
# Instantiating module "exec" from file /srv/freeradius/etc/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
# Loaded module rlm_expiration
# Instantiating module "expiration" from file /srv/freeradius/etc/raddb/mods-enabled/expiration
# Instantiating module "ntlm_auth" from file /srv/freeradius/etc/raddb/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_radutmp
# Instantiating module "radutmp" from file /srv/freeradius/etc/raddb/mods-enabled/radutmp
radutmp {
filename = "/srv/freeradius/var/log/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_chap
# Instantiating module "chap" from file /srv/freeradius/etc/raddb/mods-enabled/chap
# Loaded module rlm_linelog
# Instantiating module "linelog" from file /srv/freeradius/etc/raddb/mods-enabled/linelog
linelog {
filename = "/srv/freeradius/var/log/linelog"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "%{%{Packet-Type}:-format}"
}
# Loaded module rlm_preprocess
# Instantiating module "preprocess" from file /srv/freeradius/etc/raddb/mods-enabled/preprocess
preprocess {
huntgroups = "/srv/freeradius/etc/raddb/mods-config/preprocess/huntgroups"
hints = "/srv/freeradius/etc/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
reading pairlist file /srv/freeradius/etc/raddb/mods-config/preprocess/huntgroups
reading pairlist file /srv/freeradius/etc/raddb/mods-config/preprocess/hints
# Loaded module rlm_dynamic_clients
# Instantiating module "dynamic_clients" from file /srv/freeradius/etc/raddb/mods-enabled/dynamic_clients
# Loaded module rlm_replicate
# Instantiating module "replicate" from file /srv/freeradius/etc/raddb/mods-enabled/replicate
# Loaded module rlm_digest
# Instantiating module "digest" from file /srv/freeradius/etc/raddb/mods-enabled/digest
# Loaded module rlm_unix
# Instantiating module "unix" from file /srv/freeradius/etc/raddb/mods-enabled/unix
unix {
radwtmp = "/srv/freeradius/var/log/radwtmp"
}
# Loaded module rlm_utf8
# Instantiating module "utf8" from file /srv/freeradius/etc/raddb/mods-enabled/utf8
# Loaded module rlm_attr_filter
# Instantiating module "attr_filter.post-proxy" from file /srv/freeradius/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/srv/freeradius/etc/raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
reading pairlist file /srv/freeradius/etc/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file /srv/freeradius/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/srv/freeradius/etc/raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
reading pairlist file /srv/freeradius/etc/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file /srv/freeradius/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/srv/freeradius/etc/raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /srv/freeradius/etc/raddb/mods-config/attr_filter/access_reject
# Instantiating module "attr_filter.access_challenge" from file /srv/freeradius/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/srv/freeradius/etc/raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /srv/freeradius/etc/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file /srv/freeradius/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/srv/freeradius/etc/raddb/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /srv/freeradius/etc/raddb/mods-config/attr_filter/accounting_response
# Loaded module rlm_passwd
# Instantiating module "etc_passwd" from file /srv/freeradius/etc/raddb/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Loaded module rlm_cache
# Instantiating module "cache_eap" from file /srv/freeradius/etc/raddb/mods-enabled/cache_eap
cache cache_eap {
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 16384
epoch = 0
add_stats = no
}
# Loaded module rlm_detail
# Instantiating module "auth_log" from file /srv/freeradius/etc/raddb/mods-enabled/detail.log
detail auth_log {
filename = "/srv/freeradius/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
dir_permissions = 493
locking = no
log_packet_header = no
}
# Instantiating module "reply_log" from file /srv/freeradius/etc/raddb/mods-enabled/detail.log
detail reply_log {
filename = "/srv/freeradius/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
dir_permissions = 493
locking = no
log_packet_header = no
}
# Instantiating module "pre_proxy_log" from file /srv/freeradius/etc/raddb/mods-enabled/detail.log
detail pre_proxy_log {
filename = "/srv/freeradius/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
dir_permissions = 493
locking = no
log_packet_header = no
}
# Instantiating module "post_proxy_log" from file /srv/freeradius/etc/raddb/mods-enabled/detail.log
detail post_proxy_log {
filename = "/srv/freeradius/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
dir_permissions = 493
locking = no
log_packet_header = no
}
# Instantiating module "sradutmp" from file /srv/freeradius/etc/raddb/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/srv/freeradius/var/log/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_realm
# Instantiating module "IPASS" from file /srv/freeradius/etc/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Instantiating module "suffix" from file /srv/freeradius/etc/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Instantiating module "realmpercent" from file /srv/freeradius/etc/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Instantiating module "ntdomain" from file /srv/freeradius/etc/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\"
ignore_default = yes
ignore_null = yes
}
# Loaded module rlm_logintime
# Instantiating module "logintime" from file /srv/freeradius/etc/raddb/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_expr
# Instantiating module "expr" from file /srv/freeradius/etc/raddb/mods-enabled/expr
expr {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
}
# Loaded module rlm_files
# Instantiating module "files" from file /srv/freeradius/etc/raddb/mods-enabled/files
files {
filename = "/srv/freeradius/etc/raddb/mods-config/files/authorize"
usersfile = "/srv/freeradius/etc/raddb/mods-config/files/authorize"
acctusersfile = "/srv/freeradius/etc/raddb/mods-config/files/accounting"
preproxy_usersfile = "/srv/freeradius/etc/raddb/mods-config/files/pre-proxy"
compat = "no"
}
reading pairlist file /srv/freeradius/etc/raddb/mods-config/files/authorize
reading pairlist file /srv/freeradius/etc/raddb/mods-config/files/authorize
reading pairlist file /srv/freeradius/etc/raddb/mods-config/files/accounting
reading pairlist file /srv/freeradius/etc/raddb/mods-config/files/pre-proxy
# Instantiating module "echo" from file /srv/freeradius/etc/raddb/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loaded module rlm_ldap
# Instantiating module "ldap" from file /srv/freeradius/etc/raddb/mods-enabled/ldap
ldap {
server = "afadfadsf"
port = 636
password = "asfdasdfa"
identity = "cadsfasfd,o=system"
edir = yes
edir_autz = yes
user {
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
scope = "sub"
base_dn = "ou=pasdfafdsefr"
access_positive = yes
}
group {
filter = "(objectClass=posixGroup)"
scope = "sub"
base_dn = "oasdfafr"
name_attribute = "cn"
membership_attribute = "memberOf"
cacheable_name = no
cacheable_dn = no
}
client {
filter = "(objectClass=frClient)"
scope = "sub"
base_dn = "o=hefr"
attribute {
identifier = "frClientIdentifier"
shortname = "cn"
secret = "frClientSecret"
}
}
profile {
filter = "(&)"
}
options {
ldap_debug = 40
chase_referrals = yes
rebind = yes
net_timeout = 1
res_timeout = 20
srv_timelimit = 20
idle = 60
probes = 3
interval = 3
}
tls {
start_tls = no
}
}
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}}"
}
post-auth {
reference = "."
}
rlm_ldap (ldap): Initialising connection pool
pool {
start = 5
min = 4
max = 10
spare = 3
uses = 0
lifetime = 0
cleanup_delay = 5
idle_timeout = 60
spread = no
}
rlm_ldap (ldap): Opening additional connection (0)
rlm_ldap (ldap): Connecting to hefridm.hefr.ch:636
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (1)
rlm_ldap (ldap): Connecting to hefridm.hefr.ch:636
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (2)
rlm_ldap (ldap): Connecting to hefridm.hefr.ch:636
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (3)
rlm_ldap (ldap): Connecting to hefridm.hefr.ch:636
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (4)
rlm_ldap (ldap): Connecting to hefridm.hefr.ch:636
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
# Instantiating module "detail" from file /srv/freeradius/etc/raddb/mods-enabled/detail
detail {
filename = "/srv/freeradius/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
dir_permissions = 493
locking = no
log_packet_header = no
}
# Loaded module rlm_always
# Instantiating module "fail" from file /srv/freeradius/etc/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Instantiating module "reject" from file /srv/freeradius/etc/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Instantiating module "noop" from file /srv/freeradius/etc/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Instantiating module "handled" from file /srv/freeradius/etc/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Instantiating module "updated" from file /srv/freeradius/etc/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Instantiating module "notfound" from file /srv/freeradius/etc/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Instantiating module "ok" from file /srv/freeradius/etc/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loaded module rlm_dhcp
# Instantiating module "dhcp" from file /srv/freeradius/etc/raddb/mods-enabled/dhcp
# Loaded module rlm_soh
# Instantiating module "soh" from file /srv/freeradius/etc/raddb/mods-enabled/soh
soh {
dhcp = yes
}
# Loaded module rlm_eap
# Instantiating module "eap" from file /srv/freeradius/etc/raddb/mods-enabled/eap
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
mod_accounting_username_bug = no
max_sessions = 4096
}
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
ca_path = "/srv/freeradius/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/srv/freeradius/etc/raddb/certs/eduroam.hes-so.ch.key"
certificate_file = "/srv/freeradius/etc/raddb/certs/eduroam.hes-so.ch-chained.crt"
private_key_password = "whatever"
dh_file = "/srv/freeradius/etc/raddb/certs/dh"
random_file = "/srv/freeradius/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
cache {
enable = yes
lifetime = 24
max_entries = 0
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = yes
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "secure-hefr-inner-tunnel"
include_length = yes
require_client_cert = no
}
Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_method = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
virtual_server = "secure-hefr-inner-tunnel"
soh = no
require_client_cert = no
}
Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /srv/freeradius/etc/raddb/radiusd.conf
} # server
server eduroam { # from file /srv/freeradius/etc/raddb/sites-enabled/hefr
# Loading authenticate {...}
# Loading authorize {...}
# Loading virtual module permit_only_eap
# Loading virtual module rewrite_called_station_id
# Loading virtual module rewrite_calling_station_id
# Loading preacct {...}
# Loading accounting {...}
# Loading pre-proxy {...}
# Loading post-proxy {...}
# Loading virtual module split_username_nai
# Loading post-auth {...}
# Loading virtual module remove_reply_message_if_eap
# Loading virtual module wireless-policy
# Loading virtual module remove_reply_message_if_eap
} # server
server secure-hefr-inner-tunnel { # from file /srv/freeradius/etc/raddb/sites-enabled/secure-hefr-inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
# Loading post-auth {...}
# Loading virtual module wireless-policy
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 1812
}
listen {
type = "acct"
ipaddr = *
port = 1813
}
Listening on auth address * port 1812
Listening on acct address * port 1813
Opening new proxy address * port 1814
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 000.00.157.2 port 32768, id=146, length=264
User-Name = 'SOFR\\masked-uid'
Calling-Station-Id = '00-24-d7-9b-37-a4'
Called-Station-Id = '00-14-1b-b5-2e-70:SECURE-HEFR-2'
NAS-Port = 13
Cisco-AVPair = 'audit-session-id=a0629d02000000e851e7b6d1'
NAS-IP-Address = 000.00.157.2
NAS-Identifier = 'wlc.per80-EAP'
Airespace-Wlan-Id = 1
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = '112'
EAP-Message = 0x0202001a01534f46525c6f6c69766965722e626579747269736f
Message-Authenticator = 0x7776649334f0988db7697c76a6a56ede
(0) # Executing section authorize from file /srv/freeradius/etc/raddb/sites-enabled/hefr
(0) group authorize {
(0) - entering group authorize {...}
(0) ? if (NAS-Identifier =~ /.*-EAP$/)
(0) ? if (NAS-Identifier =~ /.*-EAP$/) -> TRUE
(0) if (NAS-Identifier =~ /.*-EAP$/) {
(0) - entering if (NAS-Identifier =~ /.*-EAP$/) {...}
(0) policy permit_only_eap {
(0) - entering policy permit_only_eap {...}
(0) ? if (!EAP-Message)
(0) ? if (!EAP-Message) -> FALSE
(0) - policy permit_only_eap returns notfound
(0) - if (NAS-Identifier =~ /.*-EAP$/) returns notfound
(0) policy rewrite_called_station_id {
(0) - entering policy rewrite_called_station_id {...}
(0) ? if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)
(0) ? if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) -> TRUE
(0) if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) {
(0) - entering if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) {...}
(0) update request {
(0) expand: "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" -> '00-14-1b-b5-2e-70'
(0) Called-Station-Id := "00-14-1b-b5-2e-70"
(0) } # update request = notfound
(0) ? if ("%{8}")
(0) expand: "%{8}" -> 'SECURE-HEFR-2'
(0) ? if ("%{8}") -> TRUE
(0) if ("%{8}") {
(0) - entering if ("%{8}") {...}
(0) update request {
(0) expand: "%{8}" -> 'SECURE-HEFR-2'
(0) Called-Station-SSID := "SECURE-HEFR-2"
(0) } # update request = notfound
(0) - if ("%{8}") returns notfound
(0) [updated] = updated
(0) - if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) returns updated
(0) ... skipping else for request 0: Preceding "if" was taken
(0) - policy rewrite_called_station_id returns updated
(0) policy rewrite_calling_station_id {
(0) - entering policy rewrite_calling_station_id {...}
(0) ? if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)
(0) ? if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) -> TRUE
(0) if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) {
(0) - entering if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) {...}
(0) update request {
(0) expand: "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" -> '00-24-d7-9b-37-a4'
(0) Calling-Station-Id := "00-24-d7-9b-37-a4"
(0) } # update request = updated
(0) [updated] = updated
(0) - if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) returns updated
(0) ... skipping else for request 0: Preceding "if" was taken
(0) - policy rewrite_calling_station_id returns updated
(0) auth_log : expand: "/srv/freeradius/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" -> '/srv/freeradius/var/log/radacct/000.00.157.2/auth-detail-20130718'
(0) auth_log : /srv/freeradius/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /srv/freeradius/var/log/radacct/000.00.157.2/auth-detail-20130718
(0) auth_log : expand: "%t" -> 'Thu Jul 18 11:35:14 2013'
(0) [auth_log] = ok
(0) ? if ("%{client:location}")
(0) expand: "%{client:location}" -> 'RORG-HEFR'
(0) ? if ("%{client:location}") -> TRUE
(0) if ("%{client:location}") {
(0) - entering if ("%{client:location}") {...}
(0) update request {
(0) expand: "%{client:location}" -> 'RORG-HEFR'
(0) HESSO-Location := "RORG-HEFR"
(0) } # update request = ok
(0) - if ("%{client:location}") returns ok
(0) ntdomain : Looking up realm "SOFR" for User-Name = "SOFR\masked-uid"
(0) ntdomain : Found realm "SOFR"
(0) ntdomain : Adding Realm = "SOFR"
(0) ntdomain : Authentication realm is LOCAL.
(0) [ntdomain] = ok
(0) suffix : Request already has destination realm set. Ignoring.
(0) [suffix] = ok
(0) ? if (Realm == 'NULL' && Called-Station-SSID != 'SECURE-HEFR-2')
(0) ? if (Realm == 'NULL' && Called-Station-SSID != 'SECURE-HEFR-2') -> FALSE
(0) eap : EAP packet type response id 2 length 26
(0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0) [eap] = ok
(0) ? elsif (Airespace-Wlan-Id == 3 || Airespace-Wlan-Id == 4)
(0) ? elsif (Airespace-Wlan-Id == 3 || Airespace-Wlan-Id == 4) -> FALSE
(0) Found Auth-Type = EAP
(0) # Executing group from file /srv/freeradius/etc/raddb/sites-enabled/hefr
(0) group authenticate {
(0) - entering group authenticate {...}
(0) eap : Peer sent Identity (1)
(0) eap : Calling eap_peap to process EAP data
(0) eap_peap : Flushing SSL sessions (of #0)
(0) eap_peap : Initiate
(0) eap_peap : Start returned 1
(0) eap : New EAP session, adding 'State' attribute to reply 0xd6bf5df5d6bc4439
(0) [eap] = handled
Sending Access-Challenge of id 146 from 0.0.0.0 port 1812 to 000.00.157.2 port 32768
EAP-Message = 0x010300061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd6bf5df5d6bc4439f1739a59943e5377
(0) Finished request 0.
Waking up in 0.3 seconds.
rad_recv: Access-Request packet from host 000.00.157.2 port 32768, id=147, length=393
User-Name = 'SOFR\\masked-uid'
Calling-Station-Id = '00-24-d7-9b-37-a4'
Called-Station-Id = '00-14-1b-b5-2e-70:SECURE-HEFR-2'
NAS-Port = 13
Cisco-AVPair = 'audit-session-id=a0629d02000000e851e7b6d1'
NAS-IP-Address = 000.00.157.2
NAS-Identifier = 'wlc.per80-EAP'
Airespace-Wlan-Id = 1
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = '112'
EAP-Message = 0x0203008919800000007f160301007a01000076030151e7b6ce6e9101d96ba664e18d090e9c4548cb641ced68611fff86ed20fe72612015ab893fe6f899a4316ac6df02bfb89e214e98b4697923a1c1638b132984e81e0018002f00350005000ac013c014c009c00a003200380013000401000015ff01000100000a0006000400170018000b00020100
State = 0xd6bf5df5d6bc4439f1739a59943e5377
Message-Authenticator = 0x958474f0a36c55881f1bcffa53f618f8
(1) # Executing section authorize from file /srv/freeradius/etc/raddb/sites-enabled/hefr
(1) group authorize {
(1) - entering group authorize {...}
(1) ? if (NAS-Identifier =~ /.*-EAP$/)
(1) ? if (NAS-Identifier =~ /.*-EAP$/) -> TRUE
(1) if (NAS-Identifier =~ /.*-EAP$/) {
(1) - entering if (NAS-Identifier =~ /.*-EAP$/) {...}
(1) policy permit_only_eap {
(1) - entering policy permit_only_eap {...}
(1) ? if (!EAP-Message)
(1) ? if (!EAP-Message) -> FALSE
(1) - policy permit_only_eap returns notfound
(1) - if (NAS-Identifier =~ /.*-EAP$/) returns notfound
(1) policy rewrite_called_station_id {
(1) - entering policy rewrite_called_station_id {...}
(1) ? if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)
(1) ? if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) -> TRUE
(1) if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) {
(1) - entering if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) {...}
(1) update request {
(1) expand: "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" -> '00-14-1b-b5-2e-70'
(1) Called-Station-Id := "00-14-1b-b5-2e-70"
(1) } # update request = notfound
(1) ? if ("%{8}")
(1) expand: "%{8}" -> 'SECURE-HEFR-2'
(1) ? if ("%{8}") -> TRUE
(1) if ("%{8}") {
(1) - entering if ("%{8}") {...}
(1) update request {
(1) expand: "%{8}" -> 'SECURE-HEFR-2'
(1) Called-Station-SSID := "SECURE-HEFR-2"
(1) } # update request = notfound
(1) - if ("%{8}") returns notfound
(1) [updated] = updated
(1) - if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) returns updated
(1) ... skipping else for request 1: Preceding "if" was taken
(1) - policy rewrite_called_station_id returns updated
(1) policy rewrite_calling_station_id {
(1) - entering policy rewrite_calling_station_id {...}
(1) ? if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)
(1) ? if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) -> TRUE
(1) if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) {
(1) - entering if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) {...}
(1) update request {
(1) expand: "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" -> '00-24-d7-9b-37-a4'
(1) Calling-Station-Id := "00-24-d7-9b-37-a4"
(1) } # update request = updated
(1) [updated] = updated
(1) - if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) returns updated
(1) ... skipping else for request 1: Preceding "if" was taken
(1) - policy rewrite_calling_station_id returns updated
(1) auth_log : expand: "/srv/freeradius/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" -> '/srv/freeradius/var/log/radacct/000.00.157.2/auth-detail-20130718'
(1) auth_log : /srv/freeradius/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /srv/freeradius/var/log/radacct/000.00.157.2/auth-detail-20130718
(1) auth_log : expand: "%t" -> 'Thu Jul 18 11:35:14 2013'
(1) [auth_log] = ok
(1) ? if ("%{client:location}")
(1) expand: "%{client:location}" -> 'RORG-HEFR'
(1) ? if ("%{client:location}") -> TRUE
(1) if ("%{client:location}") {
(1) - entering if ("%{client:location}") {...}
(1) update request {
(1) expand: "%{client:location}" -> 'RORG-HEFR'
(1) HESSO-Location := "RORG-HEFR"
(1) } # update request = ok
(1) - if ("%{client:location}") returns ok
(1) ntdomain : Looking up realm "SOFR" for User-Name = "SOFR\masked-uid"
(1) ntdomain : Found realm "SOFR"
(1) ntdomain : Adding Realm = "SOFR"
(1) ntdomain : Authentication realm is LOCAL.
(1) [ntdomain] = ok
(1) suffix : Request already has destination realm set. Ignoring.
(1) [suffix] = ok
(1) ? if (Realm == 'NULL' && Called-Station-SSID != 'SECURE-HEFR-2')
(1) ? if (Realm == 'NULL' && Called-Station-SSID != 'SECURE-HEFR-2') -> FALSE
(1) eap : EAP packet type response id 3 length 137
(1) eap : Continuing tunnel setup.
(1) [eap] = ok
(1) ? elsif (Airespace-Wlan-Id == 3 || Airespace-Wlan-Id == 4)
(1) ? elsif (Airespace-Wlan-Id == 3 || Airespace-Wlan-Id == 4) -> FALSE
(1) Found Auth-Type = EAP
(1) # Executing group from file /srv/freeradius/etc/raddb/sites-enabled/hefr
(1) group authenticate {
(1) - entering group authenticate {...}
(1) eap : Expiring EAP session with state 0xd6bf5df5d6bc4439
(1) eap : Finished EAP session with state 0xd6bf5df5d6bc4439
(1) eap : Previous EAP request found for state 0xd6bf5df5d6bc4439, released from the list
(1) eap : Peer sent PEAP (25)
(1) eap : EAP PEAP (25)
(1) eap : Calling eap_peap to process EAP data
(1) eap_peap : processing EAP-TLS
TLS Length 127
(1) eap_peap : Length Included
(1) eap_peap : eaptls_verify returned 11
(1) eap_peap : (other): before/accept initialization
(1) eap_peap : TLS_accept: before/accept initialization
(1) eap_peap : <<< TLS 1.0 Handshake [length 007a], ClientHello
SSL: Client requested cached session 15ab893fe6f899a4316ac6df02bfb89e214e98b4697923a1c1638b132984e81e
(1) eap_peap : TLS_accept: SSLv3 read client hello A
(1) eap_peap : >>> TLS 1.0 Handshake [length 0051], ServerHello
(1) eap_peap : TLS_accept: SSLv3 write server hello A
(1) eap_peap : >>> TLS 1.0 Handshake [length 0aa1], Certificate
(1) eap_peap : TLS_accept: SSLv3 write certificate A
(1) eap_peap : >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
(1) eap_peap : TLS_accept: SSLv3 write server done A
(1) eap_peap : TLS_accept: SSLv3 flush data
(1) eap_peap : TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
(1) eap_peap : eaptls_process returned 13
(1) eap_peap : FR_TLS_HANDLED
(1) eap : New EAP session, adding 'State' attribute to reply 0xd6bf5df5d7bb4439
(1) [eap] = handled
Sending Access-Challenge of id 147 from 0.0.0.0 port 1812 to 000.00.157.2 port 32768
EAP-Message =
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd6bf5df5d7bb4439f1739a59943e5377
(1) Finished request 1.
Waking up in 0.3 seconds.
rad_recv: Access-Request packet from host 000.00.157.2 port 32768, id=148, length=262
User-Name = 'SOFR\\masked-uid'
Calling-Station-Id = '00-24-d7-9b-37-a4'
Called-Station-Id = '00-14-1b-b5-2e-70:SECURE-HEFR-2'
NAS-Port = 13
Cisco-AVPair = 'audit-session-id=a0629d02000000e851e7b6d1'
NAS-IP-Address = 000.00.157.2
NAS-Identifier = 'wlc.per80-EAP'
Airespace-Wlan-Id = 1
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = '112'
EAP-Message = 0x020400061900
State = 0xd6bf5df5d7bb4439f1739a59943e5377
Message-Authenticator = 0x89fb5dead461aed5f007286d6519290a
(2) # Executing section authorize from file /srv/freeradius/etc/raddb/sites-enabled/hefr
(2) group authorize {
(2) - entering group authorize {...}
(2) ? if (NAS-Identifier =~ /.*-EAP$/)
(2) ? if (NAS-Identifier =~ /.*-EAP$/) -> TRUE
(2) if (NAS-Identifier =~ /.*-EAP$/) {
(2) - entering if (NAS-Identifier =~ /.*-EAP$/) {...}
(2) policy permit_only_eap {
(2) - entering policy permit_only_eap {...}
(2) ? if (!EAP-Message)
(2) ? if (!EAP-Message) -> FALSE
(2) - policy permit_only_eap returns notfound
(2) - if (NAS-Identifier =~ /.*-EAP$/) returns notfound
(2) policy rewrite_called_station_id {
(2) - entering policy rewrite_called_station_id {...}
(2) ? if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)
(2) ? if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) -> TRUE
(2) if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) {
(2) - entering if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) {...}
(2) update request {
(2) expand: "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" -> '00-14-1b-b5-2e-70'
(2) Called-Station-Id := "00-14-1b-b5-2e-70"
(2) } # update request = notfound
(2) ? if ("%{8}")
(2) expand: "%{8}" -> 'SECURE-HEFR-2'
(2) ? if ("%{8}") -> TRUE
(2) if ("%{8}") {
(2) - entering if ("%{8}") {...}
(2) update request {
(2) expand: "%{8}" -> 'SECURE-HEFR-2'
(2) Called-Station-SSID := "SECURE-HEFR-2"
(2) } # update request = notfound
(2) - if ("%{8}") returns notfound
(2) [updated] = updated
(2) - if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) returns updated
(2) ... skipping else for request 2: Preceding "if" was taken
(2) - policy rewrite_called_station_id returns updated
(2) policy rewrite_calling_station_id {
(2) - entering policy rewrite_calling_station_id {...}
(2) ? if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)
(2) ? if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) -> TRUE
(2) if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) {
(2) - entering if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) {...}
(2) update request {
(2) expand: "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" -> '00-24-d7-9b-37-a4'
(2) Calling-Station-Id := "00-24-d7-9b-37-a4"
(2) } # update request = updated
(2) [updated] = updated
(2) - if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) returns updated
(2) ... skipping else for request 2: Preceding "if" was taken
(2) - policy rewrite_calling_station_id returns updated
(2) auth_log : expand: "/srv/freeradius/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" -> '/srv/freeradius/var/log/radacct/000.00.157.2/auth-detail-20130718'
(2) auth_log : /srv/freeradius/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /srv/freeradius/var/log/radacct/000.00.157.2/auth-detail-20130718
(2) auth_log : expand: "%t" -> 'Thu Jul 18 11:35:14 2013'
(2) [auth_log] = ok
(2) ? if ("%{client:location}")
(2) expand: "%{client:location}" -> 'RORG-HEFR'
(2) ? if ("%{client:location}") -> TRUE
(2) if ("%{client:location}") {
(2) - entering if ("%{client:location}") {...}
(2) update request {
(2) expand: "%{client:location}" -> 'RORG-HEFR'
(2) HESSO-Location := "RORG-HEFR"
(2) } # update request = ok
(2) - if ("%{client:location}") returns ok
(2) ntdomain : Looking up realm "SOFR" for User-Name = "SOFR\masked-uid"
(2) ntdomain : Found realm "SOFR"
(2) ntdomain : Adding Realm = "SOFR"
(2) ntdomain : Authentication realm is LOCAL.
(2) [ntdomain] = ok
(2) suffix : Request already has destination realm set. Ignoring.
(2) [suffix] = ok
(2) ? if (Realm == 'NULL' && Called-Station-SSID != 'SECURE-HEFR-2')
(2) ? if (Realm == 'NULL' && Called-Station-SSID != 'SECURE-HEFR-2') -> FALSE
(2) eap : EAP packet type response id 4 length 6
(2) eap : Continuing tunnel setup.
(2) [eap] = ok
(2) ? elsif (Airespace-Wlan-Id == 3 || Airespace-Wlan-Id == 4)
(2) ? elsif (Airespace-Wlan-Id == 3 || Airespace-Wlan-Id == 4) -> FALSE
(2) Found Auth-Type = EAP
(2) # Executing group from file /srv/freeradius/etc/raddb/sites-enabled/hefr
(2) group authenticate {
(2) - entering group authenticate {...}
(2) eap : Expiring EAP session with state 0xd6bf5df5d7bb4439
(2) eap : Finished EAP session with state 0xd6bf5df5d7bb4439
(2) eap : Previous EAP request found for state 0xd6bf5df5d7bb4439, released from the list
(2) eap : Peer sent PEAP (25)
(2) eap : EAP PEAP (25)
(2) eap : Calling eap_peap to process EAP data
(2) eap_peap : processing EAP-TLS
(2) eap_peap : Received TLS ACK
(2) eap_peap : Received TLS ACK
(2) eap_peap : ACK handshake fragment handler
(2) eap_peap : eaptls_verify returned 1
(2) eap_peap : eaptls_process returned 13
(2) eap_peap : FR_TLS_HANDLED
(2) eap : New EAP session, adding 'State' attribute to reply 0xd6bf5df5d4ba4439
(2) [eap] = handled
Sending Access-Challenge of id 148 from 0.0.0.0 port 1812 to 000.00.157.2 port 32768
EAP-Message =
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd6bf5df5d4ba4439f1739a59943e5377
(2) Finished request 2.
Waking up in 0.3 seconds.
rad_recv: Access-Request packet from host 000.00.157.2 port 32768, id=149, length=262
User-Name = 'SOFR\\masked-uid'
Calling-Station-Id = '00-24-d7-9b-37-a4'
Called-Station-Id = '00-14-1b-b5-2e-70:SECURE-HEFR-2'
NAS-Port = 13
Cisco-AVPair = 'audit-session-id=a0629d02000000e851e7b6d1'
NAS-IP-Address = 000.00.157.2
NAS-Identifier = 'wlc.per80-EAP'
Airespace-Wlan-Id = 1
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = '112'
EAP-Message = 0x020500061900
State = 0xd6bf5df5d4ba4439f1739a59943e5377
Message-Authenticator = 0xfab77ed12d173c5b714ff6290534b457
(3) # Executing section authorize from file /srv/freeradius/etc/raddb/sites-enabled/hefr
(3) group authorize {
(3) - entering group authorize {...}
(3) ? if (NAS-Identifier =~ /.*-EAP$/)
(3) ? if (NAS-Identifier =~ /.*-EAP$/) -> TRUE
(3) if (NAS-Identifier =~ /.*-EAP$/) {
(3) - entering if (NAS-Identifier =~ /.*-EAP$/) {...}
(3) policy permit_only_eap {
(3) - entering policy permit_only_eap {...}
(3) ? if (!EAP-Message)
(3) ? if (!EAP-Message) -> FALSE
(3) - policy permit_only_eap returns notfound
(3) - if (NAS-Identifier =~ /.*-EAP$/) returns notfound
(3) policy rewrite_called_station_id {
(3) - entering policy rewrite_called_station_id {...}
(3) ? if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)
(3) ? if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) -> TRUE
(3) if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) {
(3) - entering if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) {...}
(3) update request {
(3) expand: "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" -> '00-14-1b-b5-2e-70'
(3) Called-Station-Id := "00-14-1b-b5-2e-70"
(3) } # update request = notfound
(3) ? if ("%{8}")
(3) expand: "%{8}" -> 'SECURE-HEFR-2'
(3) ? if ("%{8}") -> TRUE
(3) if ("%{8}") {
(3) - entering if ("%{8}") {...}
(3) update request {
(3) expand: "%{8}" -> 'SECURE-HEFR-2'
(3) Called-Station-SSID := "SECURE-HEFR-2"
(3) } # update request = notfound
(3) - if ("%{8}") returns notfound
(3) [updated] = updated
(3) - if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) returns updated
(3) ... skipping else for request 3: Preceding "if" was taken
(3) - policy rewrite_called_station_id returns updated
(3) policy rewrite_calling_station_id {
(3) - entering policy rewrite_calling_station_id {...}
(3) ? if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)
(3) ? if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) -> TRUE
(3) if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) {
(3) - entering if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) {...}
(3) update request {
(3) expand: "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" -> '00-24-d7-9b-37-a4'
(3) Calling-Station-Id := "00-24-d7-9b-37-a4"
(3) } # update request = updated
(3) [updated] = updated
(3) - if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) returns updated
(3) ... skipping else for request 3: Preceding "if" was taken
(3) - policy rewrite_calling_station_id returns updated
(3) auth_log : expand: "/srv/freeradius/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" -> '/srv/freeradius/var/log/radacct/000.00.157.2/auth-detail-20130718'
(3) auth_log : /srv/freeradius/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /srv/freeradius/var/log/radacct/000.00.157.2/auth-detail-20130718
(3) auth_log : expand: "%t" -> 'Thu Jul 18 11:35:14 2013'
(3) [auth_log] = ok
(3) ? if ("%{client:location}")
(3) expand: "%{client:location}" -> 'RORG-HEFR'
(3) ? if ("%{client:location}") -> TRUE
(3) if ("%{client:location}") {
(3) - entering if ("%{client:location}") {...}
(3) update request {
(3) expand: "%{client:location}" -> 'RORG-HEFR'
(3) HESSO-Location := "RORG-HEFR"
(3) } # update request = ok
(3) - if ("%{client:location}") returns ok
(3) ntdomain : Looking up realm "SOFR" for User-Name = "SOFR\masked-uid"
(3) ntdomain : Found realm "SOFR"
(3) ntdomain : Adding Realm = "SOFR"
(3) ntdomain : Authentication realm is LOCAL.
(3) [ntdomain] = ok
(3) suffix : Request already has destination realm set. Ignoring.
(3) [suffix] = ok
(3) ? if (Realm == 'NULL' && Called-Station-SSID != 'SECURE-HEFR-2')
(3) ? if (Realm == 'NULL' && Called-Station-SSID != 'SECURE-HEFR-2') -> FALSE
(3) eap : EAP packet type response id 5 length 6
(3) eap : Continuing tunnel setup.
(3) [eap] = ok
(3) ? elsif (Airespace-Wlan-Id == 3 || Airespace-Wlan-Id == 4)
(3) ? elsif (Airespace-Wlan-Id == 3 || Airespace-Wlan-Id == 4) -> FALSE
(3) Found Auth-Type = EAP
(3) # Executing group from file /srv/freeradius/etc/raddb/sites-enabled/hefr
(3) group authenticate {
(3) - entering group authenticate {...}
(3) eap : Expiring EAP session with state 0xd6bf5df5d4ba4439
(3) eap : Finished EAP session with state 0xd6bf5df5d4ba4439
(3) eap : Previous EAP request found for state 0xd6bf5df5d4ba4439, released from the list
(3) eap : Peer sent PEAP (25)
(3) eap : EAP PEAP (25)
(3) eap : Calling eap_peap to process EAP data
(3) eap_peap : processing EAP-TLS
(3) eap_peap : Received TLS ACK
(3) eap_peap : Received TLS ACK
(3) eap_peap : ACK handshake fragment handler
(3) eap_peap : eaptls_verify returned 1
(3) eap_peap : eaptls_process returned 13
(3) eap_peap : FR_TLS_HANDLED
(3) eap : New EAP session, adding 'State' attribute to reply 0xd6bf5df5d5b94439
(3) [eap] = handled
Sending Access-Challenge of id 149 from 0.0.0.0 port 1812 to 000.00.157.2 port 32768
EAP-Message =
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd6bf5df5d5b94439f1739a59943e5377
(3) Finished request 3.
Waking up in 0.3 seconds.
rad_recv: Access-Request packet from host 000.00.157.2 port 32768, id=150, length=594
User-Name = 'SOFR\\masked-uid'
Calling-Station-Id = '00-24-d7-9b-37-a4'
Called-Station-Id = '00-14-1b-b5-2e-70:SECURE-HEFR-2'
NAS-Port = 13
Cisco-AVPair = 'audit-session-id=a0629d02000000e851e7b6d1'
NAS-IP-Address = 000.00.157.2
NAS-Identifier = 'wlc.per80-EAP'
Airespace-Wlan-Id = 1
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = '112'
EAP-Message = 0x02060150198000000146160301010610000102010057cbf113a5893c820727d0b79e2aa96c3aa2aede64c261a2e18e0f8b9dce92da0347030402c24aee551ab1d263c0fc6f1bee7eac21783cb0d51e39f74bbe6e993b40ae250ec2be09578bbceb62be3c99e1531872eee6da38334dae17f367ee735588f46a8a71bd2281161ca48a8edc3acf17fc83ea8f5c4abc99b7d50d326e45fc528d9fd839abe475d6bcf685a47c9fc2f4e4b18b708139bb3662ec4f48a1ef4c0e4f8ed1d3bf810e592c16b9946929b759f380dae8a2a009b95996b7af6364e6c684f23b24b0d7b8b677a94804e8ba1644fa2da894ca8bd538933506f5e63db75689d664bfc9268a5a99a7d5b59b908caa178c62d08f9f2f6ea5c64396d49f14030100010116030100306dbb7ce840e89a512f8997e2cce3cc16f0e67e5b830a08ed7bad0edb6da4c14c626e1afe17004ff376edb30f141bcc51
State = 0xd6bf5df5d5b94439f1739a59943e5377
Message-Authenticator = 0x4e7585e7ba02eecfbd7ce2e84335b787
(4) # Executing section authorize from file /srv/freeradius/etc/raddb/sites-enabled/hefr
(4) group authorize {
(4) - entering group authorize {...}
(4) ? if (NAS-Identifier =~ /.*-EAP$/)
(4) ? if (NAS-Identifier =~ /.*-EAP$/) -> TRUE
(4) if (NAS-Identifier =~ /.*-EAP$/) {
(4) - entering if (NAS-Identifier =~ /.*-EAP$/) {...}
(4) policy permit_only_eap {
(4) - entering policy permit_only_eap {...}
(4) ? if (!EAP-Message)
(4) ? if (!EAP-Message) -> FALSE
(4) - policy permit_only_eap returns notfound
(4) - if (NAS-Identifier =~ /.*-EAP$/) returns notfound
(4) policy rewrite_called_station_id {
(4) - entering policy rewrite_called_station_id {...}
(4) ? if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)
(4) ? if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) -> TRUE
(4) if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) {
(4) - entering if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) {...}
(4) update request {
(4) expand: "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" -> '00-14-1b-b5-2e-70'
(4) Called-Station-Id := "00-14-1b-b5-2e-70"
(4) } # update request = notfound
(4) ? if ("%{8}")
(4) expand: "%{8}" -> 'SECURE-HEFR-2'
(4) ? if ("%{8}") -> TRUE
(4) if ("%{8}") {
(4) - entering if ("%{8}") {...}
(4) update request {
(4) expand: "%{8}" -> 'SECURE-HEFR-2'
(4) Called-Station-SSID := "SECURE-HEFR-2"
(4) } # update request = notfound
(4) - if ("%{8}") returns notfound
(4) [updated] = updated
(4) - if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) returns updated
(4) ... skipping else for request 4: Preceding "if" was taken
(4) - policy rewrite_called_station_id returns updated
(4) policy rewrite_calling_station_id {
(4) - entering policy rewrite_calling_station_id {...}
(4) ? if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)
(4) ? if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) -> TRUE
(4) if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) {
(4) - entering if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) {...}
(4) update request {
(4) expand: "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" -> '00-24-d7-9b-37-a4'
(4) Calling-Station-Id := "00-24-d7-9b-37-a4"
(4) } # update request = updated
(4) [updated] = updated
(4) - if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) returns updated
(4) ... skipping else for request 4: Preceding "if" was taken
(4) - policy rewrite_calling_station_id returns updated
(4) auth_log : expand: "/srv/freeradius/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" -> '/srv/freeradius/var/log/radacct/000.00.157.2/auth-detail-20130718'
(4) auth_log : /srv/freeradius/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /srv/freeradius/var/log/radacct/000.00.157.2/auth-detail-20130718
(4) auth_log : expand: "%t" -> 'Thu Jul 18 11:35:14 2013'
(4) [auth_log] = ok
(4) ? if ("%{client:location}")
(4) expand: "%{client:location}" -> 'RORG-HEFR'
(4) ? if ("%{client:location}") -> TRUE
(4) if ("%{client:location}") {
(4) - entering if ("%{client:location}") {...}
(4) update request {
(4) expand: "%{client:location}" -> 'RORG-HEFR'
(4) HESSO-Location := "RORG-HEFR"
(4) } # update request = ok
(4) - if ("%{client:location}") returns ok
(4) ntdomain : Looking up realm "SOFR" for User-Name = "SOFR\masked-uid"
(4) ntdomain : Found realm "SOFR"
(4) ntdomain : Adding Realm = "SOFR"
(4) ntdomain : Authentication realm is LOCAL.
(4) [ntdomain] = ok
(4) suffix : Request already has destination realm set. Ignoring.
(4) [suffix] = ok
(4) ? if (Realm == 'NULL' && Called-Station-SSID != 'SECURE-HEFR-2')
(4) ? if (Realm == 'NULL' && Called-Station-SSID != 'SECURE-HEFR-2') -> FALSE
(4) eap : EAP packet type response id 6 length 336
(4) eap : Continuing tunnel setup.
(4) [eap] = ok
(4) ? elsif (Airespace-Wlan-Id == 3 || Airespace-Wlan-Id == 4)
(4) ? elsif (Airespace-Wlan-Id == 3 || Airespace-Wlan-Id == 4) -> FALSE
(4) Found Auth-Type = EAP
(4) # Executing group from file /srv/freeradius/etc/raddb/sites-enabled/hefr
(4) group authenticate {
(4) - entering group authenticate {...}
(4) eap : Expiring EAP session with state 0xd6bf5df5d5b94439
(4) eap : Finished EAP session with state 0xd6bf5df5d5b94439
(4) eap : Previous EAP request found for state 0xd6bf5df5d5b94439, released from the list
(4) eap : Peer sent PEAP (25)
(4) eap : EAP PEAP (25)
(4) eap : Calling eap_peap to process EAP data
(4) eap_peap : processing EAP-TLS
TLS Length 326
(4) eap_peap : Length Included
(4) eap_peap : eaptls_verify returned 11
(4) eap_peap : <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
(4) eap_peap : TLS_accept: SSLv3 read client key exchange A
(4) eap_peap : <<< TLS 1.0 ChangeCipherSpec [length 0001]
(4) eap_peap : <<< TLS 1.0 Handshake [length 0010], Finished
(4) eap_peap : TLS_accept: SSLv3 read finished A
(4) eap_peap : >>> TLS 1.0 ChangeCipherSpec [length 0001]
(4) eap_peap : TLS_accept: SSLv3 write change cipher spec A
(4) eap_peap : >>> TLS 1.0 Handshake [length 0010], Finished
(4) eap_peap : TLS_accept: SSLv3 write finished A
(4) eap_peap : TLS_accept: SSLv3 flush data
SSL: adding session 2e4d29941698a934c07df3daaa9a121741d863190b8e9dbc0dcbe34abeef81d5 to cache
(4) eap_peap : (other): SSL negotiation finished successfully
SSL Connection Established
(4) eap_peap : eaptls_process returned 13
(4) eap_peap : FR_TLS_HANDLED
(4) eap : New EAP session, adding 'State' attribute to reply 0xd6bf5df5d2b84439
(4) [eap] = handled
Sending Access-Challenge of id 150 from 0.0.0.0 port 1812 to 000.00.157.2 port 32768
EAP-Message = 0x0107004119001403010001011603010030471fe2086c3f717c864f25bddcf7a8dbb52c5eebbeb0707bdaf662d2c8e372dc12aafadb4463ca98cf176dcadedf4a36
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd6bf5df5d2b84439f1739a59943e5377
(4) Finished request 4.
Waking up in 0.2 seconds.
rad_recv: Access-Request packet from host 000.00.157.2 port 32768, id=151, length=262
User-Name = 'SOFR\\masked-uid'
Calling-Station-Id = '00-24-d7-9b-37-a4'
Called-Station-Id = '00-14-1b-b5-2e-70:SECURE-HEFR-2'
NAS-Port = 13
Cisco-AVPair = 'audit-session-id=a0629d02000000e851e7b6d1'
NAS-IP-Address = 000.00.157.2
NAS-Identifier = 'wlc.per80-EAP'
Airespace-Wlan-Id = 1
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = '112'
EAP-Message = 0x020700061900
State = 0xd6bf5df5d2b84439f1739a59943e5377
Message-Authenticator = 0x2381bf9f6d5d95fa69e47fbaabe2a619
(5) # Executing section authorize from file /srv/freeradius/etc/raddb/sites-enabled/hefr
(5) group authorize {
(5) - entering group authorize {...}
(5) ? if (NAS-Identifier =~ /.*-EAP$/)
(5) ? if (NAS-Identifier =~ /.*-EAP$/) -> TRUE
(5) if (NAS-Identifier =~ /.*-EAP$/) {
(5) - entering if (NAS-Identifier =~ /.*-EAP$/) {...}
(5) policy permit_only_eap {
(5) - entering policy permit_only_eap {...}
(5) ? if (!EAP-Message)
(5) ? if (!EAP-Message) -> FALSE
(5) - policy permit_only_eap returns notfound
(5) - if (NAS-Identifier =~ /.*-EAP$/) returns notfound
(5) policy rewrite_called_station_id {
(5) - entering policy rewrite_called_station_id {...}
(5) ? if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)
(5) ? if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) -> TRUE
(5) if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) {
(5) - entering if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) {...}
(5) update request {
(5) expand: "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" -> '00-14-1b-b5-2e-70'
(5) Called-Station-Id := "00-14-1b-b5-2e-70"
(5) } # update request = notfound
(5) ? if ("%{8}")
(5) expand: "%{8}" -> 'SECURE-HEFR-2'
(5) ? if ("%{8}") -> TRUE
(5) if ("%{8}") {
(5) - entering if ("%{8}") {...}
(5) update request {
(5) expand: "%{8}" -> 'SECURE-HEFR-2'
(5) Called-Station-SSID := "SECURE-HEFR-2"
(5) } # update request = notfound
(5) - if ("%{8}") returns notfound
(5) [updated] = updated
(5) - if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) returns updated
(5) ... skipping else for request 5: Preceding "if" was taken
(5) - policy rewrite_called_station_id returns updated
(5) policy rewrite_calling_station_id {
(5) - entering policy rewrite_calling_station_id {...}
(5) ? if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)
(5) ? if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) -> TRUE
(5) if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) {
(5) - entering if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) {...}
(5) update request {
(5) expand: "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" -> '00-24-d7-9b-37-a4'
(5) Calling-Station-Id := "00-24-d7-9b-37-a4"
(5) } # update request = updated
(5) [updated] = updated
(5) - if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) returns updated
(5) ... skipping else for request 5: Preceding "if" was taken
(5) - policy rewrite_calling_station_id returns updated
(5) auth_log : expand: "/srv/freeradius/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" -> '/srv/freeradius/var/log/radacct/000.00.157.2/auth-detail-20130718'
(5) auth_log : /srv/freeradius/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /srv/freeradius/var/log/radacct/000.00.157.2/auth-detail-20130718
(5) auth_log : expand: "%t" -> 'Thu Jul 18 11:35:14 2013'
(5) [auth_log] = ok
(5) ? if ("%{client:location}")
(5) expand: "%{client:location}" -> 'RORG-HEFR'
(5) ? if ("%{client:location}") -> TRUE
(5) if ("%{client:location}") {
(5) - entering if ("%{client:location}") {...}
(5) update request {
(5) expand: "%{client:location}" -> 'RORG-HEFR'
(5) HESSO-Location := "RORG-HEFR"
(5) } # update request = ok
(5) - if ("%{client:location}") returns ok
(5) ntdomain : Looking up realm "SOFR" for User-Name = "SOFR\masked-uid"
(5) ntdomain : Found realm "SOFR"
(5) ntdomain : Adding Realm = "SOFR"
(5) ntdomain : Authentication realm is LOCAL.
(5) [ntdomain] = ok
(5) suffix : Request already has destination realm set. Ignoring.
(5) [suffix] = ok
(5) ? if (Realm == 'NULL' && Called-Station-SSID != 'SECURE-HEFR-2')
(5) ? if (Realm == 'NULL' && Called-Station-SSID != 'SECURE-HEFR-2') -> FALSE
(5) eap : EAP packet type response id 7 length 6
(5) eap : Continuing tunnel setup.
(5) [eap] = ok
(5) ? elsif (Airespace-Wlan-Id == 3 || Airespace-Wlan-Id == 4)
(5) ? elsif (Airespace-Wlan-Id == 3 || Airespace-Wlan-Id == 4) -> FALSE
(5) Found Auth-Type = EAP
(5) # Executing group from file /srv/freeradius/etc/raddb/sites-enabled/hefr
(5) group authenticate {
(5) - entering group authenticate {...}
(5) eap : Expiring EAP session with state 0xd6bf5df5d2b84439
(5) eap : Finished EAP session with state 0xd6bf5df5d2b84439
(5) eap : Previous EAP request found for state 0xd6bf5df5d2b84439, released from the list
(5) eap : Peer sent PEAP (25)
(5) eap : EAP PEAP (25)
(5) eap : Calling eap_peap to process EAP data
(5) eap_peap : processing EAP-TLS
(5) eap_peap : Received TLS ACK
(5) eap_peap : Received TLS ACK
(5) eap_peap : ACK handshake is finished
(5) eap_peap : eaptls_verify returned 3
(5) eap_peap : eaptls_process returned 3
(5) eap_peap : FR_TLS_SUCCESS
(5) eap_peap : Session established. Decoding tunneled attributes.
(5) eap_peap : Peap state TUNNEL ESTABLISHED
(5) eap : New EAP session, adding 'State' attribute to reply 0xd6bf5df5d3b74439
(5) [eap] = handled
Sending Access-Challenge of id 151 from 0.0.0.0 port 1812 to 000.00.157.2 port 32768
EAP-Message = 0x0108002b190017030100203eacbc449c366d071aad24761568b98a42a17838dbb440aea2d1712d9f9ab879
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd6bf5df5d3b74439f1739a59943e5377
(5) Finished request 5.
Waking up in 0.2 seconds.
rad_recv: Access-Request packet from host 000.00.157.2 port 32768, id=152, length=315
User-Name = 'SOFR\\masked-uid'
Calling-Station-Id = '00-24-d7-9b-37-a4'
Called-Station-Id = '00-14-1b-b5-2e-70:SECURE-HEFR-2'
NAS-Port = 13
Cisco-AVPair = 'audit-session-id=a0629d02000000e851e7b6d1'
NAS-IP-Address = 000.00.157.2
NAS-Identifier = 'wlc.per80-EAP'
Airespace-Wlan-Id = 1
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = '112'
EAP-Message = 0x0208003b19001703010030b482c35042acda6ad9fc1026b3658ea3489a06ae243be29e82abfec2ade5ffbe5a553e65349391cbc48a8c76a84d944d
State = 0xd6bf5df5d3b74439f1739a59943e5377
Message-Authenticator = 0xe93ef0a9876bbb6cc6d59fe31de084a6
(6) # Executing section authorize from file /srv/freeradius/etc/raddb/sites-enabled/hefr
(6) group authorize {
(6) - entering group authorize {...}
(6) ? if (NAS-Identifier =~ /.*-EAP$/)
(6) ? if (NAS-Identifier =~ /.*-EAP$/) -> TRUE
(6) if (NAS-Identifier =~ /.*-EAP$/) {
(6) - entering if (NAS-Identifier =~ /.*-EAP$/) {...}
(6) policy permit_only_eap {
(6) - entering policy permit_only_eap {...}
(6) ? if (!EAP-Message)
(6) ? if (!EAP-Message) -> FALSE
(6) - policy permit_only_eap returns notfound
(6) - if (NAS-Identifier =~ /.*-EAP$/) returns notfound
(6) policy rewrite_called_station_id {
(6) - entering policy rewrite_called_station_id {...}
(6) ? if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)
(6) ? if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) -> TRUE
(6) if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) {
(6) - entering if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) {...}
(6) update request {
(6) expand: "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" -> '00-14-1b-b5-2e-70'
(6) Called-Station-Id := "00-14-1b-b5-2e-70"
(6) } # update request = notfound
(6) ? if ("%{8}")
(6) expand: "%{8}" -> 'SECURE-HEFR-2'
(6) ? if ("%{8}") -> TRUE
(6) if ("%{8}") {
(6) - entering if ("%{8}") {...}
(6) update request {
(6) expand: "%{8}" -> 'SECURE-HEFR-2'
(6) Called-Station-SSID := "SECURE-HEFR-2"
(6) } # update request = notfound
(6) - if ("%{8}") returns notfound
(6) [updated] = updated
(6) - if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) returns updated
(6) ... skipping else for request 6: Preceding "if" was taken
(6) - policy rewrite_called_station_id returns updated
(6) policy rewrite_calling_station_id {
(6) - entering policy rewrite_calling_station_id {...}
(6) ? if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)
(6) ? if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) -> TRUE
(6) if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) {
(6) - entering if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) {...}
(6) update request {
(6) expand: "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" -> '00-24-d7-9b-37-a4'
(6) Calling-Station-Id := "00-24-d7-9b-37-a4"
(6) } # update request = updated
(6) [updated] = updated
(6) - if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) returns updated
(6) ... skipping else for request 6: Preceding "if" was taken
(6) - policy rewrite_calling_station_id returns updated
(6) auth_log : expand: "/srv/freeradius/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" -> '/srv/freeradius/var/log/radacct/000.00.157.2/auth-detail-20130718'
(6) auth_log : /srv/freeradius/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /srv/freeradius/var/log/radacct/000.00.157.2/auth-detail-20130718
(6) auth_log : expand: "%t" -> 'Thu Jul 18 11:35:14 2013'
(6) [auth_log] = ok
(6) ? if ("%{client:location}")
(6) expand: "%{client:location}" -> 'RORG-HEFR'
(6) ? if ("%{client:location}") -> TRUE
(6) if ("%{client:location}") {
(6) - entering if ("%{client:location}") {...}
(6) update request {
(6) expand: "%{client:location}" -> 'RORG-HEFR'
(6) HESSO-Location := "RORG-HEFR"
(6) } # update request = ok
(6) - if ("%{client:location}") returns ok
(6) ntdomain : Looking up realm "SOFR" for User-Name = "SOFR\masked-uid"
(6) ntdomain : Found realm "SOFR"
(6) ntdomain : Adding Realm = "SOFR"
(6) ntdomain : Authentication realm is LOCAL.
(6) [ntdomain] = ok
(6) suffix : Request already has destination realm set. Ignoring.
(6) [suffix] = ok
(6) ? if (Realm == 'NULL' && Called-Station-SSID != 'SECURE-HEFR-2')
(6) ? if (Realm == 'NULL' && Called-Station-SSID != 'SECURE-HEFR-2') -> FALSE
(6) eap : EAP packet type response id 8 length 59
(6) eap : Continuing tunnel setup.
(6) [eap] = ok
(6) ? elsif (Airespace-Wlan-Id == 3 || Airespace-Wlan-Id == 4)
(6) ? elsif (Airespace-Wlan-Id == 3 || Airespace-Wlan-Id == 4) -> FALSE
(6) Found Auth-Type = EAP
(6) # Executing group from file /srv/freeradius/etc/raddb/sites-enabled/hefr
(6) group authenticate {
(6) - entering group authenticate {...}
(6) eap : Expiring EAP session with state 0xd6bf5df5d3b74439
(6) eap : Finished EAP session with state 0xd6bf5df5d3b74439
(6) eap : Previous EAP request found for state 0xd6bf5df5d3b74439, released from the list
(6) eap : Peer sent PEAP (25)
(6) eap : EAP PEAP (25)
(6) eap : Calling eap_peap to process EAP data
(6) eap_peap : processing EAP-TLS
(6) eap_peap : eaptls_verify returned 7
(6) eap_peap : Done initial handshake
(6) eap_peap : eaptls_process returned 7
(6) eap_peap : FR_TLS_OK
(6) eap_peap : Session established. Decoding tunneled attributes.
(6) eap_peap : Peap state WAITING FOR INNER IDENTITY
(6) eap_peap : Identity - SOFR\masked-uid
(6) eap_peap : Got inner identity 'SOFR\masked-uid'
(6) eap_peap : Setting default EAP type for tunneled EAP session.
(6) eap_peap : Got tunneled request
EAP-Message = 0x0208001a01534f46525c6f6c69766965722e626579747269736f
server eduroam {
(6) eap_peap : Setting User-Name to SOFR\masked-uid
Sending tunneled request
EAP-Message = 0x0208001a01534f46525c6f6c69766965722e626579747269736f
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = 'SOFR\\masked-uid'
Calling-Station-Id = '00-24-d7-9b-37-a4'
Called-Station-Id = '00-14-1b-b5-2e-70'
NAS-Port = 13
NAS-IP-Address = 000.00.157.2
NAS-Identifier = 'wlc.per80-EAP'
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = '112'
HESSO-Location = 'RORG-HEFR'
server secure-hefr-inner-tunnel {
(6) # Executing section authorize from file /srv/freeradius/etc/raddb/sites-enabled/secure-hefr-inner-tunnel
(6) group authorize {
(6) - entering group authorize {...}
(6) [mschap] = noop
(6) ntdomain : Looking up realm "SOFR" for User-Name = "SOFR\masked-uid"
(6) ntdomain : Found realm "SOFR"
(6) ntdomain : Adding Realm = "SOFR"
(6) ntdomain : Authentication realm is LOCAL.
(6) [ntdomain] = ok
(6) update control {
(6) Proxy-To-Realm := 'LOCAL'
(6) } # update control = ok
(6) ? if (User-Name =~ /SOFR.(.*)$/)
(6) ? if (User-Name =~ /SOFR.(.*)$/) -> TRUE
(6) if (User-Name =~ /SOFR.(.*)$/) {
(6) - entering if (User-Name =~ /SOFR.(.*)$/) {...}
(6) update request {
(6) expand: "%{1}" -> 'masked-uid'
(6) Stripped-User-Name := "masked-uid"
(6) } # update request = ok
(6) - if (User-Name =~ /SOFR.(.*)$/) returns ok
(6) eap : EAP packet type response id 8 length 26
(6) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(6) [eap] = ok
(6) Found Auth-Type = EAP
(6) # Executing group from file /srv/freeradius/etc/raddb/sites-enabled/secure-hefr-inner-tunnel
(6) group authenticate {
(6) - entering group authenticate {...}
(6) eap : Peer sent Identity (1)
(6) eap : Calling eap_mschapv2 to process EAP data
(6) eap_mschapv2 : Issuing Challenge
(6) eap : New EAP session, adding 'State' attribute to reply 0x09e69a9109ef80a5
(6) [eap] = handled
} # server secure-hefr-inner-tunnel
(6) eap_peap : Got tunneled reply code 11
EAP-Message = 0x0109002f1a0109002a102b01ed9f6f07fb661070a2e83c9f3508534f46525c6f6c69766965722e626579747269736f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x09e69a9109ef80a53eb6cc89b8b9ec91
(6) eap_peap : Got tunneled reply RADIUS code 11
EAP-Message = 0x0109002f1a0109002a102b01ed9f6f07fb661070a2e83c9f3508534f46525c6f6c69766965722e626579747269736f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x09e69a9109ef80a53eb6cc89b8b9ec91
(6) eap_peap : Got tunneled Access-Challenge
(6) eap : New EAP session, adding 'State' attribute to reply 0xd6bf5df5d0b64439
(6) [eap] = handled
Sending Access-Challenge of id 152 from 0.0.0.0 port 1812 to 000.00.157.2 port 32768
EAP-Message = 0x0109007b19001703010070a040db3bcbf2a098fb8a5d86b9fdb4da157eec97b1a09480fdcf4406bd0d8c4159b69230677921c8d99d3288159b901115ba26a25d33c3c2e131ecd6487d2c89bc6c6841667677166637ddb7c8675c2a6d0de7d2ea41e079f1c8c06230a6b48125cfa466a70550cdb61d32b889a50f75
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd6bf5df5d0b64439f1739a59943e5377
(6) Finished request 6.
Waking up in 0.2 seconds.
rad_recv: Access-Request packet from host 000.00.157.2 port 32768, id=153, length=379
User-Name = 'SOFR\\masked-uid'
Calling-Station-Id = '00-24-d7-9b-37-a4'
Called-Station-Id = '00-14-1b-b5-2e-70:SECURE-HEFR-2'
NAS-Port = 13
Cisco-AVPair = 'audit-session-id=a0629d02000000e851e7b6d1'
NAS-IP-Address = 000.00.157.2
NAS-Identifier = 'wlc.per80-EAP'
Airespace-Wlan-Id = 1
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = '112'
EAP-Message = 0x0209007b190017030100709b340c93950cbb35c15bc420978f2d356cc1cf33052754dd1df01cb60bfc4e412ac34e7c69e962caf0d3908e3ec916c1e85c990530b04bd463b39408d0203dc2ac73b2a915143d154b0648098a6ce6d65ac2f67bd9b0b54cfb3e5b781f06b1be22d1582f4db08e920faaac0055aa1528
State = 0xd6bf5df5d0b64439f1739a59943e5377
Message-Authenticator = 0xa4125b81d15aeedcaaa65391e731725d
(7) # Executing section authorize from file /srv/freeradius/etc/raddb/sites-enabled/hefr
(7) group authorize {
(7) - entering group authorize {...}
(7) ? if (NAS-Identifier =~ /.*-EAP$/)
(7) ? if (NAS-Identifier =~ /.*-EAP$/) -> TRUE
(7) if (NAS-Identifier =~ /.*-EAP$/) {
(7) - entering if (NAS-Identifier =~ /.*-EAP$/) {...}
(7) policy permit_only_eap {
(7) - entering policy permit_only_eap {...}
(7) ? if (!EAP-Message)
(7) ? if (!EAP-Message) -> FALSE
(7) - policy permit_only_eap returns notfound
(7) - if (NAS-Identifier =~ /.*-EAP$/) returns notfound
(7) policy rewrite_called_station_id {
(7) - entering policy rewrite_called_station_id {...}
(7) ? if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)
(7) ? if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) -> TRUE
(7) if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) {
(7) - entering if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) {...}
(7) update request {
(7) expand: "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" -> '00-14-1b-b5-2e-70'
(7) Called-Station-Id := "00-14-1b-b5-2e-70"
(7) } # update request = notfound
(7) ? if ("%{8}")
(7) expand: "%{8}" -> 'SECURE-HEFR-2'
(7) ? if ("%{8}") -> TRUE
(7) if ("%{8}") {
(7) - entering if ("%{8}") {...}
(7) update request {
(7) expand: "%{8}" -> 'SECURE-HEFR-2'
(7) Called-Station-SSID := "SECURE-HEFR-2"
(7) } # update request = notfound
(7) - if ("%{8}") returns notfound
(7) [updated] = updated
(7) - if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) returns updated
(7) ... skipping else for request 7: Preceding "if" was taken
(7) - policy rewrite_called_station_id returns updated
(7) policy rewrite_calling_station_id {
(7) - entering policy rewrite_calling_station_id {...}
(7) ? if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)
(7) ? if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) -> TRUE
(7) if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) {
(7) - entering if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) {...}
(7) update request {
(7) expand: "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" -> '00-24-d7-9b-37-a4'
(7) Calling-Station-Id := "00-24-d7-9b-37-a4"
(7) } # update request = updated
(7) [updated] = updated
(7) - if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) returns updated
(7) ... skipping else for request 7: Preceding "if" was taken
(7) - policy rewrite_calling_station_id returns updated
(7) auth_log : expand: "/srv/freeradius/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" -> '/srv/freeradius/var/log/radacct/000.00.157.2/auth-detail-20130718'
(7) auth_log : /srv/freeradius/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /srv/freeradius/var/log/radacct/000.00.157.2/auth-detail-20130718
(7) auth_log : expand: "%t" -> 'Thu Jul 18 11:35:14 2013'
(7) [auth_log] = ok
(7) ? if ("%{client:location}")
(7) expand: "%{client:location}" -> 'RORG-HEFR'
(7) ? if ("%{client:location}") -> TRUE
(7) if ("%{client:location}") {
(7) - entering if ("%{client:location}") {...}
(7) update request {
(7) expand: "%{client:location}" -> 'RORG-HEFR'
(7) HESSO-Location := "RORG-HEFR"
(7) } # update request = ok
(7) - if ("%{client:location}") returns ok
(7) ntdomain : Looking up realm "SOFR" for User-Name = "SOFR\masked-uid"
(7) ntdomain : Found realm "SOFR"
(7) ntdomain : Adding Realm = "SOFR"
(7) ntdomain : Authentication realm is LOCAL.
(7) [ntdomain] = ok
(7) suffix : Request already has destination realm set. Ignoring.
(7) [suffix] = ok
(7) ? if (Realm == 'NULL' && Called-Station-SSID != 'SECURE-HEFR-2')
(7) ? if (Realm == 'NULL' && Called-Station-SSID != 'SECURE-HEFR-2') -> FALSE
(7) eap : EAP packet type response id 9 length 123
(7) eap : Continuing tunnel setup.
(7) [eap] = ok
(7) ? elsif (Airespace-Wlan-Id == 3 || Airespace-Wlan-Id == 4)
(7) ? elsif (Airespace-Wlan-Id == 3 || Airespace-Wlan-Id == 4) -> FALSE
(7) Found Auth-Type = EAP
(7) # Executing group from file /srv/freeradius/etc/raddb/sites-enabled/hefr
(7) group authenticate {
(7) - entering group authenticate {...}
(7) eap : Expiring EAP session with state 0x09e69a9109ef80a5
(7) eap : Finished EAP session with state 0xd6bf5df5d0b64439
(7) eap : Previous EAP request found for state 0xd6bf5df5d0b64439, released from the list
(7) eap : Peer sent PEAP (25)
(7) eap : EAP PEAP (25)
(7) eap : Calling eap_peap to process EAP data
(7) eap_peap : processing EAP-TLS
(7) eap_peap : eaptls_verify returned 7
(7) eap_peap : Done initial handshake
(7) eap_peap : eaptls_process returned 7
(7) eap_peap : FR_TLS_OK
(7) eap_peap : Session established. Decoding tunneled attributes.
(7) eap_peap : Peap state phase2
(7) eap_peap : EAP type MSCHAPv2 (26)
(7) eap_peap : Got tunneled request
EAP-Message = 0x020900501a0209004b31dcd8124da2cd8b20ae2cc2d55ea81aeb000000000000000096ee0f6b7bd66243d5a0af319068873ce7881e4f7b0250bd00534f46525c6f6c69766965722e626579747269736f
server eduroam {
(7) eap_peap : Setting User-Name to SOFR\masked-uid
Sending tunneled request
EAP-Message = 0x020900501a0209004b31dcd8124da2cd8b20ae2cc2d55ea81aeb000000000000000096ee0f6b7bd66243d5a0af319068873ce7881e4f7b0250bd00534f46525c6f6c69766965722e626579747269736f
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = 'SOFR\\masked-uid'
State = 0x09e69a9109ef80a53eb6cc89b8b9ec91
Calling-Station-Id = '00-24-d7-9b-37-a4'
Called-Station-Id = '00-14-1b-b5-2e-70'
NAS-Port = 13
NAS-IP-Address = 000.00.157.2
NAS-Identifier = 'wlc.per80-EAP'
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = '112'
HESSO-Location = 'RORG-HEFR'
server secure-hefr-inner-tunnel {
(7) # Executing section authorize from file /srv/freeradius/etc/raddb/sites-enabled/secure-hefr-inner-tunnel
(7) group authorize {
(7) - entering group authorize {...}
(7) [mschap] = noop
(7) ntdomain : Looking up realm "SOFR" for User-Name = "SOFR\masked-uid"
(7) ntdomain : Found realm "SOFR"
(7) ntdomain : Adding Realm = "SOFR"
(7) ntdomain : Authentication realm is LOCAL.
(7) [ntdomain] = ok
(7) update control {
(7) Proxy-To-Realm := 'LOCAL'
(7) } # update control = ok
(7) ? if (User-Name =~ /SOFR.(.*)$/)
(7) ? if (User-Name =~ /SOFR.(.*)$/) -> TRUE
(7) if (User-Name =~ /SOFR.(.*)$/) {
(7) - entering if (User-Name =~ /SOFR.(.*)$/) {...}
(7) update request {
(7) expand: "%{1}" -> 'masked-uid'
(7) Stripped-User-Name := "masked-uid"
(7) } # update request = ok
(7) - if (User-Name =~ /SOFR.(.*)$/) returns ok
(7) eap : EAP packet type response id 9 length 80
(7) eap : No EAP Start, assuming it's an on-going EAP conversation
(7) [eap] = updated
rlm_ldap (ldap): Reserved connection (4)
(7) ldap : expand: "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" -> '(uid=masked-uid)'
(7) ldap : expand: "ou=people,o=hefr" -> 'ou=people,o=hefr'
(7) ldap : Performing search in 'ou=people,o=hefr' with filter '(uid=masked-uid)'
(7) ldap : Waiting for search result...
(7) ldap : User object found at DN "cn=masked-uid,ou=courant,ou=people,o=hefr"
(7) ldap : Added eDirectory password in check items as Cleartext-Password = masked-password
(7) ldap : Binding as user for eDirectory authorization checks
(7) ldap : Waiting for bind result...
(7) ldap : Bind successful
(7) ldap : Bind as user "cn=masked-uid,ou=courant,ou=people,o=hefr" was successful
(7) ldap : reply:HESSO-Role-Raw := '31935762-440774439#RORG-HEFR-EIFR-INTR-INFO#EMP#COL'
rlm_ldap (ldap): Released connection (4)
rlm_ldap (ldap): Closing connection (0): Too many free connections (5 > 3)
(7) [ldap] = ok
(7) ? if ("%{debug_attr: reply}" == "")
(7) Attributes matching "reply"
(7) reply:HESSO-Role-Raw = '31935762-440774439#RORG-HEFR-EIFR-INTR-INFO#EMP#COL'
(7) expand: "%{debug_attr: reply}" -> ''
(7) ? if ("%{debug_attr: reply}" == "") -> TRUE
(7) if ("%{debug_attr: reply}" == "") {
(7) - entering if ("%{debug_attr: reply}" == "") {...}
(7) [noop] = noop
(7) - if ("%{debug_attr: reply}" == "") returns updated
(7) WARNING: pap : Auth-Type already set. Not setting to PAP
(7) [pap] = noop
(7) Found Auth-Type = EAP
(7) # Executing group from file /srv/freeradius/etc/raddb/sites-enabled/secure-hefr-inner-tunnel
(7) group authenticate {
(7) - entering group authenticate {...}
(7) eap : Expiring EAP session with state 0x09e69a9109ef80a5
(7) eap : Finished EAP session with state 0x09e69a9109ef80a5
(7) eap : Previous EAP request found for state 0x09e69a9109ef80a5, released from the list
(7) eap : Peer sent MSCHAPv2 (26)
(7) eap : EAP MSCHAPv2 (26)
(7) eap : Calling eap_mschapv2 to process EAP data
(7) eap_mschapv2 : # Executing group from file /srv/freeradius/etc/raddb/sites-enabled/secure-hefr-inner-tunnel
(7) eap_mschapv2 : group MS-CHAP {
(7) eap_mschapv2 : - entering group MS-CHAP {...}
(7) mschap : Creating challenge hash with username: masked-uid
(7) mschap : Client is using MS-CHAPv2 for masked-uid, we need NT-Password
(7) mschap : adding MS-CHAPv2 MPPE keys
(7) [mschap] = ok
MSCHAP Success
(7) eap : New EAP session, adding 'State' attribute to reply 0x09e69a9108ec80a5
(7) [eap] = handled
} # server secure-hefr-inner-tunnel
(7) eap_peap : Got tunneled reply code 11
HESSO-Role-Raw = '31935762-440774439#RORG-HEFR-EIFR-INTR-INFO#EMP#COL'
EAP-Message = 0x010a00331a0309002e533d36463146433039463146453336333741373445433937393937313437334141344330324536364443
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x09e69a9108ec80a53eb6cc89b8b9ec91
(7) eap_peap : Got tunneled reply RADIUS code 11
HESSO-Role-Raw = '31935762-440774439#RORG-HEFR-EIFR-INTR-INFO#EMP#COL'
EAP-Message = 0x010a00331a0309002e533d36463146433039463146453336333741373445433937393937313437334141344330324536364443
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x09e69a9108ec80a53eb6cc89b8b9ec91
(7) eap_peap : Got tunneled Access-Challenge
(7) eap : New EAP session, adding 'State' attribute to reply 0xd6bf5df5d1b54439
(7) [eap] = handled
Sending Access-Challenge of id 153 from 0.0.0.0 port 1812 to 000.00.157.2 port 32768
EAP-Message = 0x010a008b1900170301008067c5b68a1764001fb2a24e85ee4e517173085427f6d163b0da7f90e662d76c88c4da3fd87a90b0ef07f29f34a5579a36c610ce3ee8e3f5a61b1859371303f0f1b3bc406ec6cf0defe8d0c0bc8ac7c460f56e4e40dd464139e50d2daf0633de573112c64b7a9ea0d631f52c238ebb063f1510fc162953e06ab67b462a188f4022
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd6bf5df5d1b54439f1739a59943e5377
(7) Finished request 7.
Waking up in 0.2 seconds.
rad_recv: Access-Request packet from host 000.00.157.2 port 32768, id=154, length=299
User-Name = 'SOFR\\masked-uid'
Calling-Station-Id = '00-24-d7-9b-37-a4'
Called-Station-Id = '00-14-1b-b5-2e-70:SECURE-HEFR-2'
NAS-Port = 13
Cisco-AVPair = 'audit-session-id=a0629d02000000e851e7b6d1'
NAS-IP-Address = 000.00.157.2
NAS-Identifier = 'wlc.per80-EAP'
Airespace-Wlan-Id = 1
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = '112'
EAP-Message = 0x020a002b190017030100204efe9d7bbe4638ea5737980d9ea5a5d7566eecb1879e8012f943526df0af7f09
State = 0xd6bf5df5d1b54439f1739a59943e5377
Message-Authenticator = 0xdce0b687ff8671ba8b12131dabef0d2e
(8) # Executing section authorize from file /srv/freeradius/etc/raddb/sites-enabled/hefr
(8) group authorize {
(8) - entering group authorize {...}
(8) ? if (NAS-Identifier =~ /.*-EAP$/)
(8) ? if (NAS-Identifier =~ /.*-EAP$/) -> TRUE
(8) if (NAS-Identifier =~ /.*-EAP$/) {
(8) - entering if (NAS-Identifier =~ /.*-EAP$/) {...}
(8) policy permit_only_eap {
(8) - entering policy permit_only_eap {...}
(8) ? if (!EAP-Message)
(8) ? if (!EAP-Message) -> FALSE
(8) - policy permit_only_eap returns notfound
(8) - if (NAS-Identifier =~ /.*-EAP$/) returns notfound
(8) policy rewrite_called_station_id {
(8) - entering policy rewrite_called_station_id {...}
(8) ? if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)
(8) ? if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) -> TRUE
(8) if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) {
(8) - entering if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) {...}
(8) update request {
(8) expand: "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" -> '00-14-1b-b5-2e-70'
(8) Called-Station-Id := "00-14-1b-b5-2e-70"
(8) } # update request = notfound
(8) ? if ("%{8}")
(8) expand: "%{8}" -> 'SECURE-HEFR-2'
(8) ? if ("%{8}") -> TRUE
(8) if ("%{8}") {
(8) - entering if ("%{8}") {...}
(8) update request {
(8) expand: "%{8}" -> 'SECURE-HEFR-2'
(8) Called-Station-SSID := "SECURE-HEFR-2"
(8) } # update request = notfound
(8) - if ("%{8}") returns notfound
(8) [updated] = updated
(8) - if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) returns updated
(8) ... skipping else for request 8: Preceding "if" was taken
(8) - policy rewrite_called_station_id returns updated
(8) policy rewrite_calling_station_id {
(8) - entering policy rewrite_calling_station_id {...}
(8) ? if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)
(8) ? if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) -> TRUE
(8) if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) {
(8) - entering if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) {...}
(8) update request {
(8) expand: "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" -> '00-24-d7-9b-37-a4'
(8) Calling-Station-Id := "00-24-d7-9b-37-a4"
(8) } # update request = updated
(8) [updated] = updated
(8) - if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) returns updated
(8) ... skipping else for request 8: Preceding "if" was taken
(8) - policy rewrite_calling_station_id returns updated
(8) auth_log : expand: "/srv/freeradius/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" -> '/srv/freeradius/var/log/radacct/000.00.157.2/auth-detail-20130718'
(8) auth_log : /srv/freeradius/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /srv/freeradius/var/log/radacct/000.00.157.2/auth-detail-20130718
(8) auth_log : expand: "%t" -> 'Thu Jul 18 11:35:14 2013'
(8) [auth_log] = ok
(8) ? if ("%{client:location}")
(8) expand: "%{client:location}" -> 'RORG-HEFR'
(8) ? if ("%{client:location}") -> TRUE
(8) if ("%{client:location}") {
(8) - entering if ("%{client:location}") {...}
(8) update request {
(8) expand: "%{client:location}" -> 'RORG-HEFR'
(8) HESSO-Location := "RORG-HEFR"
(8) } # update request = ok
(8) - if ("%{client:location}") returns ok
(8) ntdomain : Looking up realm "SOFR" for User-Name = "SOFR\masked-uid"
(8) ntdomain : Found realm "SOFR"
(8) ntdomain : Adding Realm = "SOFR"
(8) ntdomain : Authentication realm is LOCAL.
(8) [ntdomain] = ok
(8) suffix : Request already has destination realm set. Ignoring.
(8) [suffix] = ok
(8) ? if (Realm == 'NULL' && Called-Station-SSID != 'SECURE-HEFR-2')
(8) ? if (Realm == 'NULL' && Called-Station-SSID != 'SECURE-HEFR-2') -> FALSE
(8) eap : EAP packet type response id 10 length 43
(8) eap : Continuing tunnel setup.
(8) [eap] = ok
(8) ? elsif (Airespace-Wlan-Id == 3 || Airespace-Wlan-Id == 4)
(8) ? elsif (Airespace-Wlan-Id == 3 || Airespace-Wlan-Id == 4) -> FALSE
(8) Found Auth-Type = EAP
(8) # Executing group from file /srv/freeradius/etc/raddb/sites-enabled/hefr
(8) group authenticate {
(8) - entering group authenticate {...}
(8) eap : Expiring EAP session with state 0x09e69a9108ec80a5
(8) eap : Finished EAP session with state 0xd6bf5df5d1b54439
(8) eap : Previous EAP request found for state 0xd6bf5df5d1b54439, released from the list
(8) eap : Peer sent PEAP (25)
(8) eap : EAP PEAP (25)
(8) eap : Calling eap_peap to process EAP data
(8) eap_peap : processing EAP-TLS
(8) eap_peap : eaptls_verify returned 7
(8) eap_peap : Done initial handshake
(8) eap_peap : eaptls_process returned 7
(8) eap_peap : FR_TLS_OK
(8) eap_peap : Session established. Decoding tunneled attributes.
(8) eap_peap : Peap state phase2
(8) eap_peap : EAP type MSCHAPv2 (26)
(8) eap_peap : Got tunneled request
EAP-Message = 0x020a00061a03
server eduroam {
(8) eap_peap : Setting User-Name to SOFR\masked-uid
Sending tunneled request
EAP-Message = 0x020a00061a03
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = 'SOFR\\masked-uid'
State = 0x09e69a9108ec80a53eb6cc89b8b9ec91
Calling-Station-Id = '00-24-d7-9b-37-a4'
Called-Station-Id = '00-14-1b-b5-2e-70'
NAS-Port = 13
NAS-IP-Address = 000.00.157.2
NAS-Identifier = 'wlc.per80-EAP'
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = '112'
HESSO-Location = 'RORG-HEFR'
server secure-hefr-inner-tunnel {
(8) # Executing section authorize from file /srv/freeradius/etc/raddb/sites-enabled/secure-hefr-inner-tunnel
(8) group authorize {
(8) - entering group authorize {...}
(8) [mschap] = noop
(8) ntdomain : Looking up realm "SOFR" for User-Name = "SOFR\masked-uid"
(8) ntdomain : Found realm "SOFR"
(8) ntdomain : Adding Realm = "SOFR"
(8) ntdomain : Authentication realm is LOCAL.
(8) [ntdomain] = ok
(8) update control {
(8) Proxy-To-Realm := 'LOCAL'
(8) } # update control = ok
(8) ? if (User-Name =~ /SOFR.(.*)$/)
(8) ? if (User-Name =~ /SOFR.(.*)$/) -> TRUE
(8) if (User-Name =~ /SOFR.(.*)$/) {
(8) - entering if (User-Name =~ /SOFR.(.*)$/) {...}
(8) update request {
(8) expand: "%{1}" -> 'masked-uid'
(8) Stripped-User-Name := "masked-uid"
(8) } # update request = ok
(8) - if (User-Name =~ /SOFR.(.*)$/) returns ok
(8) eap : EAP packet type response id 10 length 6
(8) eap : EAP-MSCHAPV2 success, returning short-circuit ok
(8) [eap] = ok
(8) Found Auth-Type = EAP
(8) # Executing group from file /srv/freeradius/etc/raddb/sites-enabled/secure-hefr-inner-tunnel
(8) group authenticate {
(8) - entering group authenticate {...}
(8) eap : Expiring EAP session with state 0x09e69a9108ec80a5
(8) eap : Finished EAP session with state 0x09e69a9108ec80a5
(8) eap : Previous EAP request found for state 0x09e69a9108ec80a5, released from the list
(8) eap : Peer sent MSCHAPv2 (26)
(8) eap : EAP MSCHAPv2 (26)
(8) eap : Calling eap_mschapv2 to process EAP data
(8) eap : Freeing handler
(8) [eap] = ok
(8) # Executing section post-auth from file /srv/freeradius/etc/raddb/sites-enabled/secure-hefr-inner-tunnel
(8) group post-auth {
(8) - entering group post-auth {...}
(8) auth_log : expand: "/srv/freeradius/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" -> '/srv/freeradius/var/log/radacct/000.00.157.2/auth-detail-19700101'
(8) auth_log : /srv/freeradius/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /srv/freeradius/var/log/radacct/000.00.157.2/auth-detail-19700101
(8) auth_log : expand: "%t" -> 'Thu Jan 1 01:00:00 1970'
(8) [auth_log] = ok
(8) policy wireless-policy {
(8) - entering policy wireless-policy {...}
(8) foreach reply:HESSO-Role-Raw {
(8) } # foreach reply:HESSO-Role-Raw = ok
(8) } # foreach reply:HESSO-Role-Raw = ok
(8) - policy wireless-policy returns ok
} # server secure-hefr-inner-tunnel
(8) eap_peap : Got tunneled reply code 2
MS-MPPE-Encryption-Policy = Encryption-Allowed
MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
MS-MPPE-Send-Key = 0x6db969e5fb5f0745ec08717ac16d8c3e
MS-MPPE-Recv-Key = 0x172bb98b1c777364dc9b118b7ca9fecb
EAP-Message = 0x030a0004
Message-Authenticator = 0x00000000000000000000000000000000
Stripped-User-Name = 'masked-uid'
(8) eap_peap : Got tunneled reply RADIUS code 2
MS-MPPE-Encryption-Policy = Encryption-Allowed
MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
MS-MPPE-Send-Key = 0x6db969e5fb5f0745ec08717ac16d8c3e
MS-MPPE-Recv-Key = 0x172bb98b1c777364dc9b118b7ca9fecb
EAP-Message = 0x030a0004
Message-Authenticator = 0x00000000000000000000000000000000
Stripped-User-Name = 'masked-uid'
(8) eap_peap : Tunneled authentication was successful.
(8) eap_peap : SUCCESS
(8) eap_peap : Saving tunneled attributes for later
(8) eap : New EAP session, adding 'State' attribute to reply 0xd6bf5df5deb44439
(8) [eap] = handled
Sending Access-Challenge of id 154 from 0.0.0.0 port 1812 to 000.00.157.2 port 32768
EAP-Message = 0x010b002b190017030100207b481ac6bea28302c1bb10e5078eecea5d2502ff0b421f5078b47fa27d70366d
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd6bf5df5deb44439f1739a59943e5377
(8) Finished request 8.
Waking up in 0.2 seconds.
rad_recv: Access-Request packet from host 000.00.157.2 port 32768, id=155, length=299
User-Name = 'SOFR\\masked-uid'
Calling-Station-Id = '00-24-d7-9b-37-a4'
Called-Station-Id = '00-14-1b-b5-2e-70:SECURE-HEFR-2'
NAS-Port = 13
Cisco-AVPair = 'audit-session-id=a0629d02000000e851e7b6d1'
NAS-IP-Address = 000.00.157.2
NAS-Identifier = 'wlc.per80-EAP'
Airespace-Wlan-Id = 1
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = '112'
EAP-Message = 0x020b002b190017030100201b290abec72376de1f2e08ee8b42d272a2c47b9b9c0f47a6c4ea1daf79e867c6
State = 0xd6bf5df5deb44439f1739a59943e5377
Message-Authenticator = 0x3f313abcebdfa01d2b2569fd70c28fd5
(9) # Executing section authorize from file /srv/freeradius/etc/raddb/sites-enabled/hefr
(9) group authorize {
(9) - entering group authorize {...}
(9) ? if (NAS-Identifier =~ /.*-EAP$/)
(9) ? if (NAS-Identifier =~ /.*-EAP$/) -> TRUE
(9) if (NAS-Identifier =~ /.*-EAP$/) {
(9) - entering if (NAS-Identifier =~ /.*-EAP$/) {...}
(9) policy permit_only_eap {
(9) - entering policy permit_only_eap {...}
(9) ? if (!EAP-Message)
(9) ? if (!EAP-Message) -> FALSE
(9) - policy permit_only_eap returns notfound
(9) - if (NAS-Identifier =~ /.*-EAP$/) returns notfound
(9) policy rewrite_called_station_id {
(9) - entering policy rewrite_called_station_id {...}
(9) ? if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)
(9) ? if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) -> TRUE
(9) if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) {
(9) - entering if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) {...}
(9) update request {
(9) expand: "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" -> '00-14-1b-b5-2e-70'
(9) Called-Station-Id := "00-14-1b-b5-2e-70"
(9) } # update request = notfound
(9) ? if ("%{8}")
(9) expand: "%{8}" -> 'SECURE-HEFR-2'
(9) ? if ("%{8}") -> TRUE
(9) if ("%{8}") {
(9) - entering if ("%{8}") {...}
(9) update request {
(9) expand: "%{8}" -> 'SECURE-HEFR-2'
(9) Called-Station-SSID := "SECURE-HEFR-2"
(9) } # update request = notfound
(9) - if ("%{8}") returns notfound
(9) [updated] = updated
(9) - if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) returns updated
(9) ... skipping else for request 9: Preceding "if" was taken
(9) - policy rewrite_called_station_id returns updated
(9) policy rewrite_calling_station_id {
(9) - entering policy rewrite_calling_station_id {...}
(9) ? if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)
(9) ? if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) -> TRUE
(9) if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) {
(9) - entering if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) {...}
(9) update request {
(9) expand: "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" -> '00-24-d7-9b-37-a4'
(9) Calling-Station-Id := "00-24-d7-9b-37-a4"
(9) } # update request = updated
(9) [updated] = updated
(9) - if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) returns updated
(9) ... skipping else for request 9: Preceding "if" was taken
(9) - policy rewrite_calling_station_id returns updated
(9) auth_log : expand: "/srv/freeradius/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" -> '/srv/freeradius/var/log/radacct/000.00.157.2/auth-detail-20130718'
(9) auth_log : /srv/freeradius/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /srv/freeradius/var/log/radacct/000.00.157.2/auth-detail-20130718
(9) auth_log : expand: "%t" -> 'Thu Jul 18 11:35:14 2013'
(9) [auth_log] = ok
(9) ntdomain : Looking up realm "SOFR" for User-Name = "SOFR\masked-uid"
(9) ntdomain : Found realm "SOFR"
(9) ntdomain : Adding Realm = "SOFR"
(9) ntdomain : Authentication realm is LOCAL.
(9) [ntdomain] = ok
(9) suffix : Request already has destination realm set. Ignoring.
(9) [suffix] = ok
(9) ? if (Realm == 'NULL' && Called-Station-SSID != 'SECURE-HEFR-2')
(9) ? if (Realm == 'NULL' && Called-Station-SSID != 'SECURE-HEFR-2') -> FALSE
(9) eap : EAP packet type response id 11 length 43
(9) eap : Continuing tunnel setup.
(9) [eap] = ok
(9) ? elsif (Airespace-Wlan-Id == 3 || Airespace-Wlan-Id == 4)
(9) ? elsif (Airespace-Wlan-Id == 3 || Airespace-Wlan-Id == 4) -> FALSE
(9) Found Auth-Type = EAP
(9) # Executing group from file /srv/freeradius/etc/raddb/sites-enabled/hefr
(9) group authenticate {
(9) - entering group authenticate {...}
(9) eap : Expiring EAP session with state 0xd6bf5df5deb44439
(9) eap : Finished EAP session with state 0xd6bf5df5deb44439
(9) eap : Previous EAP request found for state 0xd6bf5df5deb44439, released from the list
(9) eap : Peer sent PEAP (25)
(9) eap : EAP PEAP (25)
(9) eap : Calling eap_peap to process EAP data
(9) eap_peap : processing EAP-TLS
(9) eap_peap : eaptls_verify returned 7
(9) eap_peap : Done initial handshake
(9) eap_peap : eaptls_process returned 7
(9) eap_peap : FR_TLS_OK
(9) eap_peap : Session established. Decoding tunneled attributes.
(9) eap_peap : Peap state send tlv success
(9) eap_peap : Received EAP-TLV response.
(9) eap_peap : Success
(9) eap_peap : Using saved attributes from the original Access-Accept
Stripped-User-Name = 'masked-uid'
(9) WARNING: eap_peap : No information to cache: session caching will be disabled for session 2e4d29941698a934c07df3daaa9a121741d863190b8e9dbc0dcbe34abeef81d5
SSL: Removing session 2e4d29941698a934c07df3daaa9a121741d863190b8e9dbc0dcbe34abeef81d5 from the cache
(9) eap : Freeing handler
(9) [eap] = ok
(9) # Executing section post-auth from file /srv/freeradius/etc/raddb/sites-enabled/hefr
(9) group post-auth {
(9) - entering group post-auth {...}
(9) policy remove_reply_message_if_eap {
(9) - entering policy remove_reply_message_if_eap {...}
(9) ? if (reply:EAP-Message && reply:Reply-Message)
(9) ? if (reply:EAP-Message && reply:Reply-Message) -> FALSE
(9) else else {
(9) - entering else else {...}
(9) [noop] = noop
(9) - else else returns noop
(9) - policy remove_reply_message_if_eap returns noop
(9) auth_log : expand: "/srv/freeradius/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" -> '/srv/freeradius/var/log/radacct/000.00.157.2/auth-detail-20130718'
(9) auth_log : /srv/freeradius/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /srv/freeradius/var/log/radacct/000.00.157.2/auth-detail-20130718
(9) auth_log : expand: "%t" -> 'Thu Jul 18 11:35:14 2013'
(9) [auth_log] = ok
(9) policy wireless-policy {
(9) - entering policy wireless-policy {...}
(9) foreach reply:HESSO-Role-Raw {
(9) } # foreach reply:HESSO-Role-Raw = ok
(9) } # foreach reply:HESSO-Role-Raw = ok
(9) - policy wireless-policy returns ok
Sending Access-Accept of id 155 from 0.0.0.0 port 1812 to 000.00.157.2 port 32768
MS-MPPE-Recv-Key = xx
MS-MPPE-Send-Key = xx
EAP-Message = 0x030b0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = 'SOFR\\masked-uid'
(9) Finished request 9.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment