-
-
Save olivierbeytrison/912b9aa8e0ebc3cc0385 to your computer and use it in GitHub Desktop.
eap-peap/mschapv2 auth
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
root@hefrrad03:~# radiusd -X | |
radiusd: FreeRADIUS Version 3.0.0, for host x86_64-unknown-linux-gnu, built on Jul 17 2013 at 16:21:28 | |
Copyright (C) 1999-2013 The FreeRADIUS server project and contributors. | |
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A | |
PARTICULAR PURPOSE. | |
You may redistribute copies of FreeRADIUS under the terms of the | |
GNU General Public License. | |
For more information about these matters, see the file named COPYRIGHT. | |
Starting - reading configuration files ... | |
including dictionary file /srv/freeradius/etc/raddb/dictionary | |
including configuration file /srv/freeradius/etc/raddb/radiusd.conf | |
including files in directory /srv/freeradius/etc/raddb/local.d/ | |
including configuration file /srv/freeradius/etc/raddb/local.d/example | |
including configuration file /srv/freeradius/etc/raddb/local.d/eduroam.conf | |
including configuration file /srv/freeradius/etc/raddb/proxy.conf | |
including configuration file /srv/freeradius/etc/raddb/clients.conf | |
including files in directory /srv/freeradius/etc/raddb/mods-enabled/ | |
including configuration file /srv/freeradius/etc/raddb/mods-enabled/pap | |
including configuration file /srv/freeradius/etc/raddb/mods-enabled/mschap | |
including configuration file /srv/freeradius/etc/raddb/mods-enabled/exec | |
including configuration file /srv/freeradius/etc/raddb/mods-enabled/expiration | |
including configuration file /srv/freeradius/etc/raddb/mods-enabled/ntlm_auth | |
including configuration file /srv/freeradius/etc/raddb/mods-enabled/radutmp | |
including configuration file /srv/freeradius/etc/raddb/mods-enabled/chap | |
including configuration file /srv/freeradius/etc/raddb/mods-enabled/linelog | |
including configuration file /srv/freeradius/etc/raddb/mods-enabled/preprocess | |
including configuration file /srv/freeradius/etc/raddb/mods-enabled/dynamic_clients | |
including configuration file /srv/freeradius/etc/raddb/mods-enabled/replicate | |
including configuration file /srv/freeradius/etc/raddb/mods-enabled/digest | |
including configuration file /srv/freeradius/etc/raddb/mods-enabled/unix | |
including configuration file /srv/freeradius/etc/raddb/mods-enabled/utf8 | |
including configuration file /srv/freeradius/etc/raddb/mods-enabled/attr_filter | |
including configuration file /srv/freeradius/etc/raddb/mods-enabled/passwd | |
including configuration file /srv/freeradius/etc/raddb/mods-enabled/cache_eap | |
including configuration file /srv/freeradius/etc/raddb/mods-enabled/detail.log | |
including configuration file /srv/freeradius/etc/raddb/mods-enabled/sradutmp | |
including configuration file /srv/freeradius/etc/raddb/mods-enabled/realm | |
including configuration file /srv/freeradius/etc/raddb/mods-enabled/logintime | |
including configuration file /srv/freeradius/etc/raddb/mods-enabled/expr | |
including configuration file /srv/freeradius/etc/raddb/mods-enabled/files | |
including configuration file /srv/freeradius/etc/raddb/mods-enabled/echo | |
including configuration file /srv/freeradius/etc/raddb/mods-enabled/ldap | |
including configuration file /srv/freeradius/etc/raddb/mods-enabled/detail | |
including configuration file /srv/freeradius/etc/raddb/mods-enabled/always | |
including configuration file /srv/freeradius/etc/raddb/mods-enabled/dhcp | |
including configuration file /srv/freeradius/etc/raddb/mods-enabled/soh | |
including configuration file /srv/freeradius/etc/raddb/mods-enabled/eap | |
including files in directory /srv/freeradius/etc/raddb/policy.d/ | |
including configuration file /srv/freeradius/etc/raddb/policy.d/cui | |
including configuration file /srv/freeradius/etc/raddb/policy.d/filter | |
including configuration file /srv/freeradius/etc/raddb/policy.d/control | |
including configuration file /srv/freeradius/etc/raddb/policy.d/canonicalization | |
including configuration file /srv/freeradius/etc/raddb/policy.d/wireless-policy | |
including configuration file /srv/freeradius/etc/raddb/policy.d/accounting | |
including configuration file /srv/freeradius/etc/raddb/policy.d/operator-name | |
including configuration file /srv/freeradius/etc/raddb/policy.d/dhcp | |
including configuration file /srv/freeradius/etc/raddb/policy.d/eap | |
including files in directory /srv/freeradius/etc/raddb/sites-enabled/ | |
including configuration file /srv/freeradius/etc/raddb/sites-enabled/hefr | |
including configuration file /srv/freeradius/etc/raddb/sites-enabled/default | |
including configuration file /srv/freeradius/etc/raddb/sites-enabled/secure-hefr-inner-tunnel | |
including configuration file /srv/freeradius/etc/raddb/sites-enabled/inner-tunnel | |
main { | |
security { | |
allow_core_dumps = no | |
} | |
} | |
main { | |
name = "radiusd" | |
prefix = "/srv/freeradius" | |
localstatedir = "/srv/freeradius/var" | |
sbindir = "/srv/freeradius/sbin" | |
logdir = "/srv/freeradius/var/log" | |
run_dir = "/srv/freeradius/var/run/radiusd" | |
libdir = "/srv/freeradius/lib" | |
radacctdir = "/srv/freeradius/var/log/radacct" | |
hostname_lookups = no | |
max_request_time = 30 | |
cleanup_delay = 5 | |
max_requests = 1024 | |
pidfile = "/srv/freeradius/var/run/radiusd/radiusd.pid" | |
checkrad = "/srv/freeradius/sbin/checkrad" | |
debug_level = 0 | |
proxy_requests = yes | |
log { | |
stripped_names = no | |
auth = no | |
auth_badpass = no | |
auth_goodpass = no | |
colourise = yes | |
} | |
security { | |
max_attributes = 200 | |
reject_delay = 1 | |
status_server = yes | |
} | |
} | |
radiusd: #### Loading Realms and Home Servers #### | |
home_server eduroam-rad1.hes-so.ch { | |
ipaddr = 000.00.240.20 | |
port = 1812 | |
type = "auth+acct" | |
proto = "udp" | |
secret = "asdfafddsaf" | |
response_window = 20 | |
max_outstanding = 65536 | |
zombie_period = 40 | |
status_check = "status-server" | |
ping_interval = 30 | |
check_interval = 30 | |
num_answers_to_alive = 3 | |
revive_interval = 60 | |
status_check_timeout = 4 | |
coa { | |
irt = 2 | |
mrt = 16 | |
mrc = 5 | |
mrd = 30 | |
} | |
limit { | |
max_connections = 16 | |
max_requests = 0 | |
lifetime = 0 | |
idle_timeout = 0 | |
} | |
} | |
home_server eduroam-rad2.hes-so.ch { | |
ipaddr = 000.00.240.21 | |
port = 1812 | |
type = "auth+acct" | |
proto = "udp" | |
secret = "adsfsadfasdf" | |
response_window = 20 | |
max_outstanding = 65536 | |
zombie_period = 40 | |
status_check = "status-server" | |
ping_interval = 30 | |
check_interval = 30 | |
num_answers_to_alive = 3 | |
revive_interval = 60 | |
status_check_timeout = 4 | |
coa { | |
irt = 2 | |
mrt = 16 | |
mrc = 5 | |
mrd = 30 | |
} | |
limit { | |
max_connections = 16 | |
max_requests = 0 | |
lifetime = 0 | |
idle_timeout = 0 | |
} | |
} | |
realm SOFR { | |
nostrip | |
} | |
home_server_pool EDUROAM-HESSO { | |
type = fail-over | |
home_server = eduroam-rad1.hes-so.ch | |
home_server = eduroam-rad2.hes-so.ch | |
} | |
realm hefr.ch { | |
pool = EDUROAM-HESSO | |
nostrip | |
} | |
realm hes-so.ch { | |
pool = EDUROAM-HESSO | |
nostrip | |
} | |
realm LOCAL { | |
nostrip | |
} | |
realm NULL { | |
nostrip | |
} | |
realm DEFAULT { | |
pool = EDUROAM-HESSO | |
nostrip | |
} | |
radiusd: #### Loading Clients #### | |
client eduroam-radX.hes-so.ch { | |
ipaddr = 000.00.240.20 | |
netmask = 31 | |
require_message_authenticator = yes | |
secret = "adsfadfdasfsaf" | |
shortname = "eduroam-hesso" | |
nas_type = "other" | |
virtual_server = "eduroam" | |
limit { | |
max_connections = 16 | |
lifetime = 0 | |
idle_timeout = 30 | |
} | |
} | |
client 127.0.0.1 { | |
ipaddr = 127.0.0.1 | |
netmask = 32 | |
require_message_authenticator = yes | |
secret = "asdfadsfsafdsaf" | |
shortname = "loopback" | |
nas_type = "other" | |
virtual_server = "eduroam" | |
limit { | |
max_connections = 16 | |
lifetime = 0 | |
idle_timeout = 30 | |
} | |
} | |
client hefr-wlc { | |
ipaddr = 000.00.157.2 | |
netmask = 23 | |
require_message_authenticator = yes | |
secret = "adsfadsfasdfsaf" | |
shortname = "hefr-wlc" | |
nas_type = "other" | |
virtual_server = "eduroam" | |
limit { | |
max_connections = 16 | |
lifetime = 0 | |
idle_timeout = 30 | |
} | |
} | |
radiusd: #### Instantiating modules #### | |
instantiate { | |
} | |
modules { | |
# Loaded module rlm_pap | |
# Instantiating module "pap" from file /srv/freeradius/etc/raddb/mods-enabled/pap | |
pap { | |
auto_header = no | |
normalise = yes | |
} | |
# Loaded module rlm_mschap | |
# Instantiating module "mschap" from file /srv/freeradius/etc/raddb/mods-enabled/mschap | |
mschap { | |
use_mppe = yes | |
require_encryption = no | |
require_strong = no | |
with_ntdomain_hack = yes | |
passchange { | |
} | |
allow_retry = yes | |
} | |
# Loaded module rlm_exec | |
# Instantiating module "exec" from file /srv/freeradius/etc/raddb/mods-enabled/exec | |
exec { | |
wait = no | |
input_pairs = "request" | |
shell_escape = yes | |
} | |
# Loaded module rlm_expiration | |
# Instantiating module "expiration" from file /srv/freeradius/etc/raddb/mods-enabled/expiration | |
# Instantiating module "ntlm_auth" from file /srv/freeradius/etc/raddb/mods-enabled/ntlm_auth | |
exec ntlm_auth { | |
wait = yes | |
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" | |
shell_escape = yes | |
} | |
# Loaded module rlm_radutmp | |
# Instantiating module "radutmp" from file /srv/freeradius/etc/raddb/mods-enabled/radutmp | |
radutmp { | |
filename = "/srv/freeradius/var/log/radutmp" | |
username = "%{User-Name}" | |
case_sensitive = yes | |
check_with_nas = yes | |
permissions = 384 | |
caller_id = yes | |
} | |
# Loaded module rlm_chap | |
# Instantiating module "chap" from file /srv/freeradius/etc/raddb/mods-enabled/chap | |
# Loaded module rlm_linelog | |
# Instantiating module "linelog" from file /srv/freeradius/etc/raddb/mods-enabled/linelog | |
linelog { | |
filename = "/srv/freeradius/var/log/linelog" | |
permissions = 384 | |
format = "This is a log message for %{User-Name}" | |
reference = "%{%{Packet-Type}:-format}" | |
} | |
# Loaded module rlm_preprocess | |
# Instantiating module "preprocess" from file /srv/freeradius/etc/raddb/mods-enabled/preprocess | |
preprocess { | |
huntgroups = "/srv/freeradius/etc/raddb/mods-config/preprocess/huntgroups" | |
hints = "/srv/freeradius/etc/raddb/mods-config/preprocess/hints" | |
with_ascend_hack = no | |
ascend_channels_per_line = 23 | |
with_ntdomain_hack = no | |
with_specialix_jetstream_hack = no | |
with_cisco_vsa_hack = no | |
with_alvarion_vsa_hack = no | |
} | |
reading pairlist file /srv/freeradius/etc/raddb/mods-config/preprocess/huntgroups | |
reading pairlist file /srv/freeradius/etc/raddb/mods-config/preprocess/hints | |
# Loaded module rlm_dynamic_clients | |
# Instantiating module "dynamic_clients" from file /srv/freeradius/etc/raddb/mods-enabled/dynamic_clients | |
# Loaded module rlm_replicate | |
# Instantiating module "replicate" from file /srv/freeradius/etc/raddb/mods-enabled/replicate | |
# Loaded module rlm_digest | |
# Instantiating module "digest" from file /srv/freeradius/etc/raddb/mods-enabled/digest | |
# Loaded module rlm_unix | |
# Instantiating module "unix" from file /srv/freeradius/etc/raddb/mods-enabled/unix | |
unix { | |
radwtmp = "/srv/freeradius/var/log/radwtmp" | |
} | |
# Loaded module rlm_utf8 | |
# Instantiating module "utf8" from file /srv/freeradius/etc/raddb/mods-enabled/utf8 | |
# Loaded module rlm_attr_filter | |
# Instantiating module "attr_filter.post-proxy" from file /srv/freeradius/etc/raddb/mods-enabled/attr_filter | |
attr_filter attr_filter.post-proxy { | |
filename = "/srv/freeradius/etc/raddb/mods-config/attr_filter/post-proxy" | |
key = "%{Realm}" | |
relaxed = no | |
} | |
reading pairlist file /srv/freeradius/etc/raddb/mods-config/attr_filter/post-proxy | |
# Instantiating module "attr_filter.pre-proxy" from file /srv/freeradius/etc/raddb/mods-enabled/attr_filter | |
attr_filter attr_filter.pre-proxy { | |
filename = "/srv/freeradius/etc/raddb/mods-config/attr_filter/pre-proxy" | |
key = "%{Realm}" | |
relaxed = no | |
} | |
reading pairlist file /srv/freeradius/etc/raddb/mods-config/attr_filter/pre-proxy | |
# Instantiating module "attr_filter.access_reject" from file /srv/freeradius/etc/raddb/mods-enabled/attr_filter | |
attr_filter attr_filter.access_reject { | |
filename = "/srv/freeradius/etc/raddb/mods-config/attr_filter/access_reject" | |
key = "%{User-Name}" | |
relaxed = no | |
} | |
reading pairlist file /srv/freeradius/etc/raddb/mods-config/attr_filter/access_reject | |
# Instantiating module "attr_filter.access_challenge" from file /srv/freeradius/etc/raddb/mods-enabled/attr_filter | |
attr_filter attr_filter.access_challenge { | |
filename = "/srv/freeradius/etc/raddb/mods-config/attr_filter/access_challenge" | |
key = "%{User-Name}" | |
relaxed = no | |
} | |
reading pairlist file /srv/freeradius/etc/raddb/mods-config/attr_filter/access_challenge | |
# Instantiating module "attr_filter.accounting_response" from file /srv/freeradius/etc/raddb/mods-enabled/attr_filter | |
attr_filter attr_filter.accounting_response { | |
filename = "/srv/freeradius/etc/raddb/mods-config/attr_filter/accounting_response" | |
key = "%{User-Name}" | |
relaxed = no | |
} | |
reading pairlist file /srv/freeradius/etc/raddb/mods-config/attr_filter/accounting_response | |
# Loaded module rlm_passwd | |
# Instantiating module "etc_passwd" from file /srv/freeradius/etc/raddb/mods-enabled/passwd | |
passwd etc_passwd { | |
filename = "/etc/passwd" | |
format = "*User-Name:Crypt-Password:" | |
delimiter = ":" | |
ignore_nislike = no | |
ignore_empty = yes | |
allow_multiple_keys = no | |
hash_size = 100 | |
} | |
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no | |
# Loaded module rlm_cache | |
# Instantiating module "cache_eap" from file /srv/freeradius/etc/raddb/mods-enabled/cache_eap | |
cache cache_eap { | |
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}" | |
ttl = 15 | |
max_entries = 16384 | |
epoch = 0 | |
add_stats = no | |
} | |
# Loaded module rlm_detail | |
# Instantiating module "auth_log" from file /srv/freeradius/etc/raddb/mods-enabled/detail.log | |
detail auth_log { | |
filename = "/srv/freeradius/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" | |
header = "%t" | |
permissions = 384 | |
dir_permissions = 493 | |
locking = no | |
log_packet_header = no | |
} | |
# Instantiating module "reply_log" from file /srv/freeradius/etc/raddb/mods-enabled/detail.log | |
detail reply_log { | |
filename = "/srv/freeradius/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d" | |
header = "%t" | |
permissions = 384 | |
dir_permissions = 493 | |
locking = no | |
log_packet_header = no | |
} | |
# Instantiating module "pre_proxy_log" from file /srv/freeradius/etc/raddb/mods-enabled/detail.log | |
detail pre_proxy_log { | |
filename = "/srv/freeradius/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d" | |
header = "%t" | |
permissions = 384 | |
dir_permissions = 493 | |
locking = no | |
log_packet_header = no | |
} | |
# Instantiating module "post_proxy_log" from file /srv/freeradius/etc/raddb/mods-enabled/detail.log | |
detail post_proxy_log { | |
filename = "/srv/freeradius/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d" | |
header = "%t" | |
permissions = 384 | |
dir_permissions = 493 | |
locking = no | |
log_packet_header = no | |
} | |
# Instantiating module "sradutmp" from file /srv/freeradius/etc/raddb/mods-enabled/sradutmp | |
radutmp sradutmp { | |
filename = "/srv/freeradius/var/log/sradutmp" | |
username = "%{User-Name}" | |
case_sensitive = yes | |
check_with_nas = yes | |
permissions = 420 | |
caller_id = no | |
} | |
# Loaded module rlm_realm | |
# Instantiating module "IPASS" from file /srv/freeradius/etc/raddb/mods-enabled/realm | |
realm IPASS { | |
format = "prefix" | |
delimiter = "/" | |
ignore_default = no | |
ignore_null = no | |
} | |
# Instantiating module "suffix" from file /srv/freeradius/etc/raddb/mods-enabled/realm | |
realm suffix { | |
format = "suffix" | |
delimiter = "@" | |
ignore_default = no | |
ignore_null = no | |
} | |
# Instantiating module "realmpercent" from file /srv/freeradius/etc/raddb/mods-enabled/realm | |
realm realmpercent { | |
format = "suffix" | |
delimiter = "%" | |
ignore_default = no | |
ignore_null = no | |
} | |
# Instantiating module "ntdomain" from file /srv/freeradius/etc/raddb/mods-enabled/realm | |
realm ntdomain { | |
format = "prefix" | |
delimiter = "\" | |
ignore_default = yes | |
ignore_null = yes | |
} | |
# Loaded module rlm_logintime | |
# Instantiating module "logintime" from file /srv/freeradius/etc/raddb/mods-enabled/logintime | |
logintime { | |
minimum_timeout = 60 | |
} | |
# Loaded module rlm_expr | |
# Instantiating module "expr" from file /srv/freeradius/etc/raddb/mods-enabled/expr | |
expr { | |
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" | |
} | |
# Loaded module rlm_files | |
# Instantiating module "files" from file /srv/freeradius/etc/raddb/mods-enabled/files | |
files { | |
filename = "/srv/freeradius/etc/raddb/mods-config/files/authorize" | |
usersfile = "/srv/freeradius/etc/raddb/mods-config/files/authorize" | |
acctusersfile = "/srv/freeradius/etc/raddb/mods-config/files/accounting" | |
preproxy_usersfile = "/srv/freeradius/etc/raddb/mods-config/files/pre-proxy" | |
compat = "no" | |
} | |
reading pairlist file /srv/freeradius/etc/raddb/mods-config/files/authorize | |
reading pairlist file /srv/freeradius/etc/raddb/mods-config/files/authorize | |
reading pairlist file /srv/freeradius/etc/raddb/mods-config/files/accounting | |
reading pairlist file /srv/freeradius/etc/raddb/mods-config/files/pre-proxy | |
# Instantiating module "echo" from file /srv/freeradius/etc/raddb/mods-enabled/echo | |
exec echo { | |
wait = yes | |
program = "/bin/echo %{User-Name}" | |
input_pairs = "request" | |
output_pairs = "reply" | |
shell_escape = yes | |
} | |
# Loaded module rlm_ldap | |
# Instantiating module "ldap" from file /srv/freeradius/etc/raddb/mods-enabled/ldap | |
ldap { | |
server = "afadfadsf" | |
port = 636 | |
password = "asfdasdfa" | |
identity = "cadsfasfd,o=system" | |
edir = yes | |
edir_autz = yes | |
user { | |
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" | |
scope = "sub" | |
base_dn = "ou=pasdfafdsefr" | |
access_positive = yes | |
} | |
group { | |
filter = "(objectClass=posixGroup)" | |
scope = "sub" | |
base_dn = "oasdfafr" | |
name_attribute = "cn" | |
membership_attribute = "memberOf" | |
cacheable_name = no | |
cacheable_dn = no | |
} | |
client { | |
filter = "(objectClass=frClient)" | |
scope = "sub" | |
base_dn = "o=hefr" | |
attribute { | |
identifier = "frClientIdentifier" | |
shortname = "cn" | |
secret = "frClientSecret" | |
} | |
} | |
profile { | |
filter = "(&)" | |
} | |
options { | |
ldap_debug = 40 | |
chase_referrals = yes | |
rebind = yes | |
net_timeout = 1 | |
res_timeout = 20 | |
srv_timelimit = 20 | |
idle = 60 | |
probes = 3 | |
interval = 3 | |
} | |
tls { | |
start_tls = no | |
} | |
} | |
accounting { | |
reference = "%{tolower:type.%{Acct-Status-Type}}" | |
} | |
post-auth { | |
reference = "." | |
} | |
rlm_ldap (ldap): Initialising connection pool | |
pool { | |
start = 5 | |
min = 4 | |
max = 10 | |
spare = 3 | |
uses = 0 | |
lifetime = 0 | |
cleanup_delay = 5 | |
idle_timeout = 60 | |
spread = no | |
} | |
rlm_ldap (ldap): Opening additional connection (0) | |
rlm_ldap (ldap): Connecting to hefridm.hefr.ch:636 | |
rlm_ldap (ldap): Waiting for bind result... | |
rlm_ldap (ldap): Bind successful | |
rlm_ldap (ldap): Opening additional connection (1) | |
rlm_ldap (ldap): Connecting to hefridm.hefr.ch:636 | |
rlm_ldap (ldap): Waiting for bind result... | |
rlm_ldap (ldap): Bind successful | |
rlm_ldap (ldap): Opening additional connection (2) | |
rlm_ldap (ldap): Connecting to hefridm.hefr.ch:636 | |
rlm_ldap (ldap): Waiting for bind result... | |
rlm_ldap (ldap): Bind successful | |
rlm_ldap (ldap): Opening additional connection (3) | |
rlm_ldap (ldap): Connecting to hefridm.hefr.ch:636 | |
rlm_ldap (ldap): Waiting for bind result... | |
rlm_ldap (ldap): Bind successful | |
rlm_ldap (ldap): Opening additional connection (4) | |
rlm_ldap (ldap): Connecting to hefridm.hefr.ch:636 | |
rlm_ldap (ldap): Waiting for bind result... | |
rlm_ldap (ldap): Bind successful | |
# Instantiating module "detail" from file /srv/freeradius/etc/raddb/mods-enabled/detail | |
detail { | |
filename = "/srv/freeradius/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" | |
header = "%t" | |
permissions = 384 | |
dir_permissions = 493 | |
locking = no | |
log_packet_header = no | |
} | |
# Loaded module rlm_always | |
# Instantiating module "fail" from file /srv/freeradius/etc/raddb/mods-enabled/always | |
always fail { | |
rcode = "fail" | |
simulcount = 0 | |
mpp = no | |
} | |
# Instantiating module "reject" from file /srv/freeradius/etc/raddb/mods-enabled/always | |
always reject { | |
rcode = "reject" | |
simulcount = 0 | |
mpp = no | |
} | |
# Instantiating module "noop" from file /srv/freeradius/etc/raddb/mods-enabled/always | |
always noop { | |
rcode = "noop" | |
simulcount = 0 | |
mpp = no | |
} | |
# Instantiating module "handled" from file /srv/freeradius/etc/raddb/mods-enabled/always | |
always handled { | |
rcode = "handled" | |
simulcount = 0 | |
mpp = no | |
} | |
# Instantiating module "updated" from file /srv/freeradius/etc/raddb/mods-enabled/always | |
always updated { | |
rcode = "updated" | |
simulcount = 0 | |
mpp = no | |
} | |
# Instantiating module "notfound" from file /srv/freeradius/etc/raddb/mods-enabled/always | |
always notfound { | |
rcode = "notfound" | |
simulcount = 0 | |
mpp = no | |
} | |
# Instantiating module "ok" from file /srv/freeradius/etc/raddb/mods-enabled/always | |
always ok { | |
rcode = "ok" | |
simulcount = 0 | |
mpp = no | |
} | |
# Loaded module rlm_dhcp | |
# Instantiating module "dhcp" from file /srv/freeradius/etc/raddb/mods-enabled/dhcp | |
# Loaded module rlm_soh | |
# Instantiating module "soh" from file /srv/freeradius/etc/raddb/mods-enabled/soh | |
soh { | |
dhcp = yes | |
} | |
# Loaded module rlm_eap | |
# Instantiating module "eap" from file /srv/freeradius/etc/raddb/mods-enabled/eap | |
eap { | |
default_eap_type = "peap" | |
timer_expire = 60 | |
ignore_unknown_eap_types = no | |
mod_accounting_username_bug = no | |
max_sessions = 4096 | |
} | |
# Linked to sub-module rlm_eap_md5 | |
# Linked to sub-module rlm_eap_tls | |
tls { | |
tls = "tls-common" | |
} | |
tls-config tls-common { | |
rsa_key_exchange = no | |
dh_key_exchange = yes | |
rsa_key_length = 512 | |
dh_key_length = 512 | |
verify_depth = 0 | |
ca_path = "/srv/freeradius/etc/raddb/certs" | |
pem_file_type = yes | |
private_key_file = "/srv/freeradius/etc/raddb/certs/eduroam.hes-so.ch.key" | |
certificate_file = "/srv/freeradius/etc/raddb/certs/eduroam.hes-so.ch-chained.crt" | |
private_key_password = "whatever" | |
dh_file = "/srv/freeradius/etc/raddb/certs/dh" | |
random_file = "/srv/freeradius/etc/raddb/certs/random" | |
fragment_size = 1024 | |
include_length = yes | |
check_crl = no | |
cipher_list = "DEFAULT" | |
ecdh_curve = "prime256v1" | |
cache { | |
enable = yes | |
lifetime = 24 | |
max_entries = 0 | |
} | |
verify { | |
} | |
ocsp { | |
enable = no | |
override_cert_url = yes | |
url = "http://127.0.0.1/ocsp/" | |
use_nonce = yes | |
timeout = 0 | |
softfail = yes | |
} | |
} | |
# Linked to sub-module rlm_eap_ttls | |
ttls { | |
tls = "tls-common" | |
default_eap_type = "mschapv2" | |
copy_request_to_tunnel = yes | |
use_tunneled_reply = yes | |
virtual_server = "secure-hefr-inner-tunnel" | |
include_length = yes | |
require_client_cert = no | |
} | |
Using cached TLS configuration from previous invocation | |
# Linked to sub-module rlm_eap_peap | |
peap { | |
tls = "tls-common" | |
default_method = "mschapv2" | |
copy_request_to_tunnel = yes | |
use_tunneled_reply = yes | |
proxy_tunneled_request_as_eap = yes | |
virtual_server = "secure-hefr-inner-tunnel" | |
soh = no | |
require_client_cert = no | |
} | |
Using cached TLS configuration from previous invocation | |
# Linked to sub-module rlm_eap_mschapv2 | |
mschapv2 { | |
with_ntdomain_hack = no | |
send_error = no | |
} | |
} # modules | |
radiusd: #### Loading Virtual Servers #### | |
server { # from file /srv/freeradius/etc/raddb/radiusd.conf | |
} # server | |
server eduroam { # from file /srv/freeradius/etc/raddb/sites-enabled/hefr | |
# Loading authenticate {...} | |
# Loading authorize {...} | |
# Loading virtual module permit_only_eap | |
# Loading virtual module rewrite_called_station_id | |
# Loading virtual module rewrite_calling_station_id | |
# Loading preacct {...} | |
# Loading accounting {...} | |
# Loading pre-proxy {...} | |
# Loading post-proxy {...} | |
# Loading virtual module split_username_nai | |
# Loading post-auth {...} | |
# Loading virtual module remove_reply_message_if_eap | |
# Loading virtual module wireless-policy | |
# Loading virtual module remove_reply_message_if_eap | |
} # server | |
server secure-hefr-inner-tunnel { # from file /srv/freeradius/etc/raddb/sites-enabled/secure-hefr-inner-tunnel | |
# Loading authenticate {...} | |
# Loading authorize {...} | |
# Loading post-auth {...} | |
# Loading virtual module wireless-policy | |
} # server | |
radiusd: #### Opening IP addresses and Ports #### | |
listen { | |
type = "auth" | |
ipaddr = * | |
port = 1812 | |
} | |
listen { | |
type = "acct" | |
ipaddr = * | |
port = 1813 | |
} | |
Listening on auth address * port 1812 | |
Listening on acct address * port 1813 | |
Opening new proxy address * port 1814 | |
Listening on proxy address * port 1814 | |
Ready to process requests. | |
rad_recv: Access-Request packet from host 000.00.157.2 port 32768, id=146, length=264 | |
User-Name = 'SOFR\\masked-uid' | |
Calling-Station-Id = '00-24-d7-9b-37-a4' | |
Called-Station-Id = '00-14-1b-b5-2e-70:SECURE-HEFR-2' | |
NAS-Port = 13 | |
Cisco-AVPair = 'audit-session-id=a0629d02000000e851e7b6d1' | |
NAS-IP-Address = 000.00.157.2 | |
NAS-Identifier = 'wlc.per80-EAP' | |
Airespace-Wlan-Id = 1 | |
Service-Type = Framed-User | |
Framed-MTU = 1300 | |
NAS-Port-Type = Wireless-802.11 | |
Tunnel-Type:0 = VLAN | |
Tunnel-Medium-Type:0 = IEEE-802 | |
Tunnel-Private-Group-Id:0 = '112' | |
EAP-Message = 0x0202001a01534f46525c6f6c69766965722e626579747269736f | |
Message-Authenticator = 0x7776649334f0988db7697c76a6a56ede | |
(0) # Executing section authorize from file /srv/freeradius/etc/raddb/sites-enabled/hefr | |
(0) group authorize { | |
(0) - entering group authorize {...} | |
(0) ? if (NAS-Identifier =~ /.*-EAP$/) | |
(0) ? if (NAS-Identifier =~ /.*-EAP$/) -> TRUE | |
(0) if (NAS-Identifier =~ /.*-EAP$/) { | |
(0) - entering if (NAS-Identifier =~ /.*-EAP$/) {...} | |
(0) policy permit_only_eap { | |
(0) - entering policy permit_only_eap {...} | |
(0) ? if (!EAP-Message) | |
(0) ? if (!EAP-Message) -> FALSE | |
(0) - policy permit_only_eap returns notfound | |
(0) - if (NAS-Identifier =~ /.*-EAP$/) returns notfound | |
(0) policy rewrite_called_station_id { | |
(0) - entering policy rewrite_called_station_id {...} | |
(0) ? if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) | |
(0) ? if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) -> TRUE | |
(0) if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) { | |
(0) - entering if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) {...} | |
(0) update request { | |
(0) expand: "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" -> '00-14-1b-b5-2e-70' | |
(0) Called-Station-Id := "00-14-1b-b5-2e-70" | |
(0) } # update request = notfound | |
(0) ? if ("%{8}") | |
(0) expand: "%{8}" -> 'SECURE-HEFR-2' | |
(0) ? if ("%{8}") -> TRUE | |
(0) if ("%{8}") { | |
(0) - entering if ("%{8}") {...} | |
(0) update request { | |
(0) expand: "%{8}" -> 'SECURE-HEFR-2' | |
(0) Called-Station-SSID := "SECURE-HEFR-2" | |
(0) } # update request = notfound | |
(0) - if ("%{8}") returns notfound | |
(0) [updated] = updated | |
(0) - if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) returns updated | |
(0) ... skipping else for request 0: Preceding "if" was taken | |
(0) - policy rewrite_called_station_id returns updated | |
(0) policy rewrite_calling_station_id { | |
(0) - entering policy rewrite_calling_station_id {...} | |
(0) ? if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) | |
(0) ? if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) -> TRUE | |
(0) if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) { | |
(0) - entering if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) {...} | |
(0) update request { | |
(0) expand: "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" -> '00-24-d7-9b-37-a4' | |
(0) Calling-Station-Id := "00-24-d7-9b-37-a4" | |
(0) } # update request = updated | |
(0) [updated] = updated | |
(0) - if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) returns updated | |
(0) ... skipping else for request 0: Preceding "if" was taken | |
(0) - policy rewrite_calling_station_id returns updated | |
(0) auth_log : expand: "/srv/freeradius/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" -> '/srv/freeradius/var/log/radacct/000.00.157.2/auth-detail-20130718' | |
(0) auth_log : /srv/freeradius/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /srv/freeradius/var/log/radacct/000.00.157.2/auth-detail-20130718 | |
(0) auth_log : expand: "%t" -> 'Thu Jul 18 11:35:14 2013' | |
(0) [auth_log] = ok | |
(0) ? if ("%{client:location}") | |
(0) expand: "%{client:location}" -> 'RORG-HEFR' | |
(0) ? if ("%{client:location}") -> TRUE | |
(0) if ("%{client:location}") { | |
(0) - entering if ("%{client:location}") {...} | |
(0) update request { | |
(0) expand: "%{client:location}" -> 'RORG-HEFR' | |
(0) HESSO-Location := "RORG-HEFR" | |
(0) } # update request = ok | |
(0) - if ("%{client:location}") returns ok | |
(0) ntdomain : Looking up realm "SOFR" for User-Name = "SOFR\masked-uid" | |
(0) ntdomain : Found realm "SOFR" | |
(0) ntdomain : Adding Realm = "SOFR" | |
(0) ntdomain : Authentication realm is LOCAL. | |
(0) [ntdomain] = ok | |
(0) suffix : Request already has destination realm set. Ignoring. | |
(0) [suffix] = ok | |
(0) ? if (Realm == 'NULL' && Called-Station-SSID != 'SECURE-HEFR-2') | |
(0) ? if (Realm == 'NULL' && Called-Station-SSID != 'SECURE-HEFR-2') -> FALSE | |
(0) eap : EAP packet type response id 2 length 26 | |
(0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize | |
(0) [eap] = ok | |
(0) ? elsif (Airespace-Wlan-Id == 3 || Airespace-Wlan-Id == 4) | |
(0) ? elsif (Airespace-Wlan-Id == 3 || Airespace-Wlan-Id == 4) -> FALSE | |
(0) Found Auth-Type = EAP | |
(0) # Executing group from file /srv/freeradius/etc/raddb/sites-enabled/hefr | |
(0) group authenticate { | |
(0) - entering group authenticate {...} | |
(0) eap : Peer sent Identity (1) | |
(0) eap : Calling eap_peap to process EAP data | |
(0) eap_peap : Flushing SSL sessions (of #0) | |
(0) eap_peap : Initiate | |
(0) eap_peap : Start returned 1 | |
(0) eap : New EAP session, adding 'State' attribute to reply 0xd6bf5df5d6bc4439 | |
(0) [eap] = handled | |
Sending Access-Challenge of id 146 from 0.0.0.0 port 1812 to 000.00.157.2 port 32768 | |
EAP-Message = 0x010300061920 | |
Message-Authenticator = 0x00000000000000000000000000000000 | |
State = 0xd6bf5df5d6bc4439f1739a59943e5377 | |
(0) Finished request 0. | |
Waking up in 0.3 seconds. | |
rad_recv: Access-Request packet from host 000.00.157.2 port 32768, id=147, length=393 | |
User-Name = 'SOFR\\masked-uid' | |
Calling-Station-Id = '00-24-d7-9b-37-a4' | |
Called-Station-Id = '00-14-1b-b5-2e-70:SECURE-HEFR-2' | |
NAS-Port = 13 | |
Cisco-AVPair = 'audit-session-id=a0629d02000000e851e7b6d1' | |
NAS-IP-Address = 000.00.157.2 | |
NAS-Identifier = 'wlc.per80-EAP' | |
Airespace-Wlan-Id = 1 | |
Service-Type = Framed-User | |
Framed-MTU = 1300 | |
NAS-Port-Type = Wireless-802.11 | |
Tunnel-Type:0 = VLAN | |
Tunnel-Medium-Type:0 = IEEE-802 | |
Tunnel-Private-Group-Id:0 = '112' | |
EAP-Message = 0x0203008919800000007f160301007a01000076030151e7b6ce6e9101d96ba664e18d090e9c4548cb641ced68611fff86ed20fe72612015ab893fe6f899a4316ac6df02bfb89e214e98b4697923a1c1638b132984e81e0018002f00350005000ac013c014c009c00a003200380013000401000015ff01000100000a0006000400170018000b00020100 | |
State = 0xd6bf5df5d6bc4439f1739a59943e5377 | |
Message-Authenticator = 0x958474f0a36c55881f1bcffa53f618f8 | |
(1) # Executing section authorize from file /srv/freeradius/etc/raddb/sites-enabled/hefr | |
(1) group authorize { | |
(1) - entering group authorize {...} | |
(1) ? if (NAS-Identifier =~ /.*-EAP$/) | |
(1) ? if (NAS-Identifier =~ /.*-EAP$/) -> TRUE | |
(1) if (NAS-Identifier =~ /.*-EAP$/) { | |
(1) - entering if (NAS-Identifier =~ /.*-EAP$/) {...} | |
(1) policy permit_only_eap { | |
(1) - entering policy permit_only_eap {...} | |
(1) ? if (!EAP-Message) | |
(1) ? if (!EAP-Message) -> FALSE | |
(1) - policy permit_only_eap returns notfound | |
(1) - if (NAS-Identifier =~ /.*-EAP$/) returns notfound | |
(1) policy rewrite_called_station_id { | |
(1) - entering policy rewrite_called_station_id {...} | |
(1) ? if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) | |
(1) ? if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) -> TRUE | |
(1) if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) { | |
(1) - entering if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) {...} | |
(1) update request { | |
(1) expand: "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" -> '00-14-1b-b5-2e-70' | |
(1) Called-Station-Id := "00-14-1b-b5-2e-70" | |
(1) } # update request = notfound | |
(1) ? if ("%{8}") | |
(1) expand: "%{8}" -> 'SECURE-HEFR-2' | |
(1) ? if ("%{8}") -> TRUE | |
(1) if ("%{8}") { | |
(1) - entering if ("%{8}") {...} | |
(1) update request { | |
(1) expand: "%{8}" -> 'SECURE-HEFR-2' | |
(1) Called-Station-SSID := "SECURE-HEFR-2" | |
(1) } # update request = notfound | |
(1) - if ("%{8}") returns notfound | |
(1) [updated] = updated | |
(1) - if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) returns updated | |
(1) ... skipping else for request 1: Preceding "if" was taken | |
(1) - policy rewrite_called_station_id returns updated | |
(1) policy rewrite_calling_station_id { | |
(1) - entering policy rewrite_calling_station_id {...} | |
(1) ? if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) | |
(1) ? if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) -> TRUE | |
(1) if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) { | |
(1) - entering if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) {...} | |
(1) update request { | |
(1) expand: "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" -> '00-24-d7-9b-37-a4' | |
(1) Calling-Station-Id := "00-24-d7-9b-37-a4" | |
(1) } # update request = updated | |
(1) [updated] = updated | |
(1) - if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) returns updated | |
(1) ... skipping else for request 1: Preceding "if" was taken | |
(1) - policy rewrite_calling_station_id returns updated | |
(1) auth_log : expand: "/srv/freeradius/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" -> '/srv/freeradius/var/log/radacct/000.00.157.2/auth-detail-20130718' | |
(1) auth_log : /srv/freeradius/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /srv/freeradius/var/log/radacct/000.00.157.2/auth-detail-20130718 | |
(1) auth_log : expand: "%t" -> 'Thu Jul 18 11:35:14 2013' | |
(1) [auth_log] = ok | |
(1) ? if ("%{client:location}") | |
(1) expand: "%{client:location}" -> 'RORG-HEFR' | |
(1) ? if ("%{client:location}") -> TRUE | |
(1) if ("%{client:location}") { | |
(1) - entering if ("%{client:location}") {...} | |
(1) update request { | |
(1) expand: "%{client:location}" -> 'RORG-HEFR' | |
(1) HESSO-Location := "RORG-HEFR" | |
(1) } # update request = ok | |
(1) - if ("%{client:location}") returns ok | |
(1) ntdomain : Looking up realm "SOFR" for User-Name = "SOFR\masked-uid" | |
(1) ntdomain : Found realm "SOFR" | |
(1) ntdomain : Adding Realm = "SOFR" | |
(1) ntdomain : Authentication realm is LOCAL. | |
(1) [ntdomain] = ok | |
(1) suffix : Request already has destination realm set. Ignoring. | |
(1) [suffix] = ok | |
(1) ? if (Realm == 'NULL' && Called-Station-SSID != 'SECURE-HEFR-2') | |
(1) ? if (Realm == 'NULL' && Called-Station-SSID != 'SECURE-HEFR-2') -> FALSE | |
(1) eap : EAP packet type response id 3 length 137 | |
(1) eap : Continuing tunnel setup. | |
(1) [eap] = ok | |
(1) ? elsif (Airespace-Wlan-Id == 3 || Airespace-Wlan-Id == 4) | |
(1) ? elsif (Airespace-Wlan-Id == 3 || Airespace-Wlan-Id == 4) -> FALSE | |
(1) Found Auth-Type = EAP | |
(1) # Executing group from file /srv/freeradius/etc/raddb/sites-enabled/hefr | |
(1) group authenticate { | |
(1) - entering group authenticate {...} | |
(1) eap : Expiring EAP session with state 0xd6bf5df5d6bc4439 | |
(1) eap : Finished EAP session with state 0xd6bf5df5d6bc4439 | |
(1) eap : Previous EAP request found for state 0xd6bf5df5d6bc4439, released from the list | |
(1) eap : Peer sent PEAP (25) | |
(1) eap : EAP PEAP (25) | |
(1) eap : Calling eap_peap to process EAP data | |
(1) eap_peap : processing EAP-TLS | |
TLS Length 127 | |
(1) eap_peap : Length Included | |
(1) eap_peap : eaptls_verify returned 11 | |
(1) eap_peap : (other): before/accept initialization | |
(1) eap_peap : TLS_accept: before/accept initialization | |
(1) eap_peap : <<< TLS 1.0 Handshake [length 007a], ClientHello | |
SSL: Client requested cached session 15ab893fe6f899a4316ac6df02bfb89e214e98b4697923a1c1638b132984e81e | |
(1) eap_peap : TLS_accept: SSLv3 read client hello A | |
(1) eap_peap : >>> TLS 1.0 Handshake [length 0051], ServerHello | |
(1) eap_peap : TLS_accept: SSLv3 write server hello A | |
(1) eap_peap : >>> TLS 1.0 Handshake [length 0aa1], Certificate | |
(1) eap_peap : TLS_accept: SSLv3 write certificate A | |
(1) eap_peap : >>> TLS 1.0 Handshake [length 0004], ServerHelloDone | |
(1) eap_peap : TLS_accept: SSLv3 write server done A | |
(1) eap_peap : TLS_accept: SSLv3 flush data | |
(1) eap_peap : TLS_accept: Need to read more data: SSLv3 read client certificate A | |
In SSL Handshake Phase | |
In SSL Accept mode | |
(1) eap_peap : eaptls_process returned 13 | |
(1) eap_peap : FR_TLS_HANDLED | |
(1) eap : New EAP session, adding 'State' attribute to reply 0xd6bf5df5d7bb4439 | |
(1) [eap] = handled | |
Sending Access-Challenge of id 147 from 0.0.0.0 port 1812 to 000.00.157.2 port 32768 | |
EAP-Message = | |
Message-Authenticator = 0x00000000000000000000000000000000 | |
State = 0xd6bf5df5d7bb4439f1739a59943e5377 | |
(1) Finished request 1. | |
Waking up in 0.3 seconds. | |
rad_recv: Access-Request packet from host 000.00.157.2 port 32768, id=148, length=262 | |
User-Name = 'SOFR\\masked-uid' | |
Calling-Station-Id = '00-24-d7-9b-37-a4' | |
Called-Station-Id = '00-14-1b-b5-2e-70:SECURE-HEFR-2' | |
NAS-Port = 13 | |
Cisco-AVPair = 'audit-session-id=a0629d02000000e851e7b6d1' | |
NAS-IP-Address = 000.00.157.2 | |
NAS-Identifier = 'wlc.per80-EAP' | |
Airespace-Wlan-Id = 1 | |
Service-Type = Framed-User | |
Framed-MTU = 1300 | |
NAS-Port-Type = Wireless-802.11 | |
Tunnel-Type:0 = VLAN | |
Tunnel-Medium-Type:0 = IEEE-802 | |
Tunnel-Private-Group-Id:0 = '112' | |
EAP-Message = 0x020400061900 | |
State = 0xd6bf5df5d7bb4439f1739a59943e5377 | |
Message-Authenticator = 0x89fb5dead461aed5f007286d6519290a | |
(2) # Executing section authorize from file /srv/freeradius/etc/raddb/sites-enabled/hefr | |
(2) group authorize { | |
(2) - entering group authorize {...} | |
(2) ? if (NAS-Identifier =~ /.*-EAP$/) | |
(2) ? if (NAS-Identifier =~ /.*-EAP$/) -> TRUE | |
(2) if (NAS-Identifier =~ /.*-EAP$/) { | |
(2) - entering if (NAS-Identifier =~ /.*-EAP$/) {...} | |
(2) policy permit_only_eap { | |
(2) - entering policy permit_only_eap {...} | |
(2) ? if (!EAP-Message) | |
(2) ? if (!EAP-Message) -> FALSE | |
(2) - policy permit_only_eap returns notfound | |
(2) - if (NAS-Identifier =~ /.*-EAP$/) returns notfound | |
(2) policy rewrite_called_station_id { | |
(2) - entering policy rewrite_called_station_id {...} | |
(2) ? if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) | |
(2) ? if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) -> TRUE | |
(2) if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) { | |
(2) - entering if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) {...} | |
(2) update request { | |
(2) expand: "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" -> '00-14-1b-b5-2e-70' | |
(2) Called-Station-Id := "00-14-1b-b5-2e-70" | |
(2) } # update request = notfound | |
(2) ? if ("%{8}") | |
(2) expand: "%{8}" -> 'SECURE-HEFR-2' | |
(2) ? if ("%{8}") -> TRUE | |
(2) if ("%{8}") { | |
(2) - entering if ("%{8}") {...} | |
(2) update request { | |
(2) expand: "%{8}" -> 'SECURE-HEFR-2' | |
(2) Called-Station-SSID := "SECURE-HEFR-2" | |
(2) } # update request = notfound | |
(2) - if ("%{8}") returns notfound | |
(2) [updated] = updated | |
(2) - if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) returns updated | |
(2) ... skipping else for request 2: Preceding "if" was taken | |
(2) - policy rewrite_called_station_id returns updated | |
(2) policy rewrite_calling_station_id { | |
(2) - entering policy rewrite_calling_station_id {...} | |
(2) ? if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) | |
(2) ? if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) -> TRUE | |
(2) if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) { | |
(2) - entering if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) {...} | |
(2) update request { | |
(2) expand: "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" -> '00-24-d7-9b-37-a4' | |
(2) Calling-Station-Id := "00-24-d7-9b-37-a4" | |
(2) } # update request = updated | |
(2) [updated] = updated | |
(2) - if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) returns updated | |
(2) ... skipping else for request 2: Preceding "if" was taken | |
(2) - policy rewrite_calling_station_id returns updated | |
(2) auth_log : expand: "/srv/freeradius/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" -> '/srv/freeradius/var/log/radacct/000.00.157.2/auth-detail-20130718' | |
(2) auth_log : /srv/freeradius/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /srv/freeradius/var/log/radacct/000.00.157.2/auth-detail-20130718 | |
(2) auth_log : expand: "%t" -> 'Thu Jul 18 11:35:14 2013' | |
(2) [auth_log] = ok | |
(2) ? if ("%{client:location}") | |
(2) expand: "%{client:location}" -> 'RORG-HEFR' | |
(2) ? if ("%{client:location}") -> TRUE | |
(2) if ("%{client:location}") { | |
(2) - entering if ("%{client:location}") {...} | |
(2) update request { | |
(2) expand: "%{client:location}" -> 'RORG-HEFR' | |
(2) HESSO-Location := "RORG-HEFR" | |
(2) } # update request = ok | |
(2) - if ("%{client:location}") returns ok | |
(2) ntdomain : Looking up realm "SOFR" for User-Name = "SOFR\masked-uid" | |
(2) ntdomain : Found realm "SOFR" | |
(2) ntdomain : Adding Realm = "SOFR" | |
(2) ntdomain : Authentication realm is LOCAL. | |
(2) [ntdomain] = ok | |
(2) suffix : Request already has destination realm set. Ignoring. | |
(2) [suffix] = ok | |
(2) ? if (Realm == 'NULL' && Called-Station-SSID != 'SECURE-HEFR-2') | |
(2) ? if (Realm == 'NULL' && Called-Station-SSID != 'SECURE-HEFR-2') -> FALSE | |
(2) eap : EAP packet type response id 4 length 6 | |
(2) eap : Continuing tunnel setup. | |
(2) [eap] = ok | |
(2) ? elsif (Airespace-Wlan-Id == 3 || Airespace-Wlan-Id == 4) | |
(2) ? elsif (Airespace-Wlan-Id == 3 || Airespace-Wlan-Id == 4) -> FALSE | |
(2) Found Auth-Type = EAP | |
(2) # Executing group from file /srv/freeradius/etc/raddb/sites-enabled/hefr | |
(2) group authenticate { | |
(2) - entering group authenticate {...} | |
(2) eap : Expiring EAP session with state 0xd6bf5df5d7bb4439 | |
(2) eap : Finished EAP session with state 0xd6bf5df5d7bb4439 | |
(2) eap : Previous EAP request found for state 0xd6bf5df5d7bb4439, released from the list | |
(2) eap : Peer sent PEAP (25) | |
(2) eap : EAP PEAP (25) | |
(2) eap : Calling eap_peap to process EAP data | |
(2) eap_peap : processing EAP-TLS | |
(2) eap_peap : Received TLS ACK | |
(2) eap_peap : Received TLS ACK | |
(2) eap_peap : ACK handshake fragment handler | |
(2) eap_peap : eaptls_verify returned 1 | |
(2) eap_peap : eaptls_process returned 13 | |
(2) eap_peap : FR_TLS_HANDLED | |
(2) eap : New EAP session, adding 'State' attribute to reply 0xd6bf5df5d4ba4439 | |
(2) [eap] = handled | |
Sending Access-Challenge of id 148 from 0.0.0.0 port 1812 to 000.00.157.2 port 32768 | |
EAP-Message = | |
Message-Authenticator = 0x00000000000000000000000000000000 | |
State = 0xd6bf5df5d4ba4439f1739a59943e5377 | |
(2) Finished request 2. | |
Waking up in 0.3 seconds. | |
rad_recv: Access-Request packet from host 000.00.157.2 port 32768, id=149, length=262 | |
User-Name = 'SOFR\\masked-uid' | |
Calling-Station-Id = '00-24-d7-9b-37-a4' | |
Called-Station-Id = '00-14-1b-b5-2e-70:SECURE-HEFR-2' | |
NAS-Port = 13 | |
Cisco-AVPair = 'audit-session-id=a0629d02000000e851e7b6d1' | |
NAS-IP-Address = 000.00.157.2 | |
NAS-Identifier = 'wlc.per80-EAP' | |
Airespace-Wlan-Id = 1 | |
Service-Type = Framed-User | |
Framed-MTU = 1300 | |
NAS-Port-Type = Wireless-802.11 | |
Tunnel-Type:0 = VLAN | |
Tunnel-Medium-Type:0 = IEEE-802 | |
Tunnel-Private-Group-Id:0 = '112' | |
EAP-Message = 0x020500061900 | |
State = 0xd6bf5df5d4ba4439f1739a59943e5377 | |
Message-Authenticator = 0xfab77ed12d173c5b714ff6290534b457 | |
(3) # Executing section authorize from file /srv/freeradius/etc/raddb/sites-enabled/hefr | |
(3) group authorize { | |
(3) - entering group authorize {...} | |
(3) ? if (NAS-Identifier =~ /.*-EAP$/) | |
(3) ? if (NAS-Identifier =~ /.*-EAP$/) -> TRUE | |
(3) if (NAS-Identifier =~ /.*-EAP$/) { | |
(3) - entering if (NAS-Identifier =~ /.*-EAP$/) {...} | |
(3) policy permit_only_eap { | |
(3) - entering policy permit_only_eap {...} | |
(3) ? if (!EAP-Message) | |
(3) ? if (!EAP-Message) -> FALSE | |
(3) - policy permit_only_eap returns notfound | |
(3) - if (NAS-Identifier =~ /.*-EAP$/) returns notfound | |
(3) policy rewrite_called_station_id { | |
(3) - entering policy rewrite_called_station_id {...} | |
(3) ? if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) | |
(3) ? if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) -> TRUE | |
(3) if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) { | |
(3) - entering if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) {...} | |
(3) update request { | |
(3) expand: "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" -> '00-14-1b-b5-2e-70' | |
(3) Called-Station-Id := "00-14-1b-b5-2e-70" | |
(3) } # update request = notfound | |
(3) ? if ("%{8}") | |
(3) expand: "%{8}" -> 'SECURE-HEFR-2' | |
(3) ? if ("%{8}") -> TRUE | |
(3) if ("%{8}") { | |
(3) - entering if ("%{8}") {...} | |
(3) update request { | |
(3) expand: "%{8}" -> 'SECURE-HEFR-2' | |
(3) Called-Station-SSID := "SECURE-HEFR-2" | |
(3) } # update request = notfound | |
(3) - if ("%{8}") returns notfound | |
(3) [updated] = updated | |
(3) - if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) returns updated | |
(3) ... skipping else for request 3: Preceding "if" was taken | |
(3) - policy rewrite_called_station_id returns updated | |
(3) policy rewrite_calling_station_id { | |
(3) - entering policy rewrite_calling_station_id {...} | |
(3) ? if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) | |
(3) ? if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) -> TRUE | |
(3) if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) { | |
(3) - entering if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) {...} | |
(3) update request { | |
(3) expand: "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" -> '00-24-d7-9b-37-a4' | |
(3) Calling-Station-Id := "00-24-d7-9b-37-a4" | |
(3) } # update request = updated | |
(3) [updated] = updated | |
(3) - if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) returns updated | |
(3) ... skipping else for request 3: Preceding "if" was taken | |
(3) - policy rewrite_calling_station_id returns updated | |
(3) auth_log : expand: "/srv/freeradius/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" -> '/srv/freeradius/var/log/radacct/000.00.157.2/auth-detail-20130718' | |
(3) auth_log : /srv/freeradius/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /srv/freeradius/var/log/radacct/000.00.157.2/auth-detail-20130718 | |
(3) auth_log : expand: "%t" -> 'Thu Jul 18 11:35:14 2013' | |
(3) [auth_log] = ok | |
(3) ? if ("%{client:location}") | |
(3) expand: "%{client:location}" -> 'RORG-HEFR' | |
(3) ? if ("%{client:location}") -> TRUE | |
(3) if ("%{client:location}") { | |
(3) - entering if ("%{client:location}") {...} | |
(3) update request { | |
(3) expand: "%{client:location}" -> 'RORG-HEFR' | |
(3) HESSO-Location := "RORG-HEFR" | |
(3) } # update request = ok | |
(3) - if ("%{client:location}") returns ok | |
(3) ntdomain : Looking up realm "SOFR" for User-Name = "SOFR\masked-uid" | |
(3) ntdomain : Found realm "SOFR" | |
(3) ntdomain : Adding Realm = "SOFR" | |
(3) ntdomain : Authentication realm is LOCAL. | |
(3) [ntdomain] = ok | |
(3) suffix : Request already has destination realm set. Ignoring. | |
(3) [suffix] = ok | |
(3) ? if (Realm == 'NULL' && Called-Station-SSID != 'SECURE-HEFR-2') | |
(3) ? if (Realm == 'NULL' && Called-Station-SSID != 'SECURE-HEFR-2') -> FALSE | |
(3) eap : EAP packet type response id 5 length 6 | |
(3) eap : Continuing tunnel setup. | |
(3) [eap] = ok | |
(3) ? elsif (Airespace-Wlan-Id == 3 || Airespace-Wlan-Id == 4) | |
(3) ? elsif (Airespace-Wlan-Id == 3 || Airespace-Wlan-Id == 4) -> FALSE | |
(3) Found Auth-Type = EAP | |
(3) # Executing group from file /srv/freeradius/etc/raddb/sites-enabled/hefr | |
(3) group authenticate { | |
(3) - entering group authenticate {...} | |
(3) eap : Expiring EAP session with state 0xd6bf5df5d4ba4439 | |
(3) eap : Finished EAP session with state 0xd6bf5df5d4ba4439 | |
(3) eap : Previous EAP request found for state 0xd6bf5df5d4ba4439, released from the list | |
(3) eap : Peer sent PEAP (25) | |
(3) eap : EAP PEAP (25) | |
(3) eap : Calling eap_peap to process EAP data | |
(3) eap_peap : processing EAP-TLS | |
(3) eap_peap : Received TLS ACK | |
(3) eap_peap : Received TLS ACK | |
(3) eap_peap : ACK handshake fragment handler | |
(3) eap_peap : eaptls_verify returned 1 | |
(3) eap_peap : eaptls_process returned 13 | |
(3) eap_peap : FR_TLS_HANDLED | |
(3) eap : New EAP session, adding 'State' attribute to reply 0xd6bf5df5d5b94439 | |
(3) [eap] = handled | |
Sending Access-Challenge of id 149 from 0.0.0.0 port 1812 to 000.00.157.2 port 32768 | |
EAP-Message = | |
Message-Authenticator = 0x00000000000000000000000000000000 | |
State = 0xd6bf5df5d5b94439f1739a59943e5377 | |
(3) Finished request 3. | |
Waking up in 0.3 seconds. | |
rad_recv: Access-Request packet from host 000.00.157.2 port 32768, id=150, length=594 | |
User-Name = 'SOFR\\masked-uid' | |
Calling-Station-Id = '00-24-d7-9b-37-a4' | |
Called-Station-Id = '00-14-1b-b5-2e-70:SECURE-HEFR-2' | |
NAS-Port = 13 | |
Cisco-AVPair = 'audit-session-id=a0629d02000000e851e7b6d1' | |
NAS-IP-Address = 000.00.157.2 | |
NAS-Identifier = 'wlc.per80-EAP' | |
Airespace-Wlan-Id = 1 | |
Service-Type = Framed-User | |
Framed-MTU = 1300 | |
NAS-Port-Type = Wireless-802.11 | |
Tunnel-Type:0 = VLAN | |
Tunnel-Medium-Type:0 = IEEE-802 | |
Tunnel-Private-Group-Id:0 = '112' | |
EAP-Message = 0x02060150198000000146160301010610000102010057cbf113a5893c820727d0b79e2aa96c3aa2aede64c261a2e18e0f8b9dce92da0347030402c24aee551ab1d263c0fc6f1bee7eac21783cb0d51e39f74bbe6e993b40ae250ec2be09578bbceb62be3c99e1531872eee6da38334dae17f367ee735588f46a8a71bd2281161ca48a8edc3acf17fc83ea8f5c4abc99b7d50d326e45fc528d9fd839abe475d6bcf685a47c9fc2f4e4b18b708139bb3662ec4f48a1ef4c0e4f8ed1d3bf810e592c16b9946929b759f380dae8a2a009b95996b7af6364e6c684f23b24b0d7b8b677a94804e8ba1644fa2da894ca8bd538933506f5e63db75689d664bfc9268a5a99a7d5b59b908caa178c62d08f9f2f6ea5c64396d49f14030100010116030100306dbb7ce840e89a512f8997e2cce3cc16f0e67e5b830a08ed7bad0edb6da4c14c626e1afe17004ff376edb30f141bcc51 | |
State = 0xd6bf5df5d5b94439f1739a59943e5377 | |
Message-Authenticator = 0x4e7585e7ba02eecfbd7ce2e84335b787 | |
(4) # Executing section authorize from file /srv/freeradius/etc/raddb/sites-enabled/hefr | |
(4) group authorize { | |
(4) - entering group authorize {...} | |
(4) ? if (NAS-Identifier =~ /.*-EAP$/) | |
(4) ? if (NAS-Identifier =~ /.*-EAP$/) -> TRUE | |
(4) if (NAS-Identifier =~ /.*-EAP$/) { | |
(4) - entering if (NAS-Identifier =~ /.*-EAP$/) {...} | |
(4) policy permit_only_eap { | |
(4) - entering policy permit_only_eap {...} | |
(4) ? if (!EAP-Message) | |
(4) ? if (!EAP-Message) -> FALSE | |
(4) - policy permit_only_eap returns notfound | |
(4) - if (NAS-Identifier =~ /.*-EAP$/) returns notfound | |
(4) policy rewrite_called_station_id { | |
(4) - entering policy rewrite_called_station_id {...} | |
(4) ? if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) | |
(4) ? if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) -> TRUE | |
(4) if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) { | |
(4) - entering if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) {...} | |
(4) update request { | |
(4) expand: "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" -> '00-14-1b-b5-2e-70' | |
(4) Called-Station-Id := "00-14-1b-b5-2e-70" | |
(4) } # update request = notfound | |
(4) ? if ("%{8}") | |
(4) expand: "%{8}" -> 'SECURE-HEFR-2' | |
(4) ? if ("%{8}") -> TRUE | |
(4) if ("%{8}") { | |
(4) - entering if ("%{8}") {...} | |
(4) update request { | |
(4) expand: "%{8}" -> 'SECURE-HEFR-2' | |
(4) Called-Station-SSID := "SECURE-HEFR-2" | |
(4) } # update request = notfound | |
(4) - if ("%{8}") returns notfound | |
(4) [updated] = updated | |
(4) - if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) returns updated | |
(4) ... skipping else for request 4: Preceding "if" was taken | |
(4) - policy rewrite_called_station_id returns updated | |
(4) policy rewrite_calling_station_id { | |
(4) - entering policy rewrite_calling_station_id {...} | |
(4) ? if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) | |
(4) ? if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) -> TRUE | |
(4) if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) { | |
(4) - entering if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) {...} | |
(4) update request { | |
(4) expand: "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" -> '00-24-d7-9b-37-a4' | |
(4) Calling-Station-Id := "00-24-d7-9b-37-a4" | |
(4) } # update request = updated | |
(4) [updated] = updated | |
(4) - if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) returns updated | |
(4) ... skipping else for request 4: Preceding "if" was taken | |
(4) - policy rewrite_calling_station_id returns updated | |
(4) auth_log : expand: "/srv/freeradius/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" -> '/srv/freeradius/var/log/radacct/000.00.157.2/auth-detail-20130718' | |
(4) auth_log : /srv/freeradius/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /srv/freeradius/var/log/radacct/000.00.157.2/auth-detail-20130718 | |
(4) auth_log : expand: "%t" -> 'Thu Jul 18 11:35:14 2013' | |
(4) [auth_log] = ok | |
(4) ? if ("%{client:location}") | |
(4) expand: "%{client:location}" -> 'RORG-HEFR' | |
(4) ? if ("%{client:location}") -> TRUE | |
(4) if ("%{client:location}") { | |
(4) - entering if ("%{client:location}") {...} | |
(4) update request { | |
(4) expand: "%{client:location}" -> 'RORG-HEFR' | |
(4) HESSO-Location := "RORG-HEFR" | |
(4) } # update request = ok | |
(4) - if ("%{client:location}") returns ok | |
(4) ntdomain : Looking up realm "SOFR" for User-Name = "SOFR\masked-uid" | |
(4) ntdomain : Found realm "SOFR" | |
(4) ntdomain : Adding Realm = "SOFR" | |
(4) ntdomain : Authentication realm is LOCAL. | |
(4) [ntdomain] = ok | |
(4) suffix : Request already has destination realm set. Ignoring. | |
(4) [suffix] = ok | |
(4) ? if (Realm == 'NULL' && Called-Station-SSID != 'SECURE-HEFR-2') | |
(4) ? if (Realm == 'NULL' && Called-Station-SSID != 'SECURE-HEFR-2') -> FALSE | |
(4) eap : EAP packet type response id 6 length 336 | |
(4) eap : Continuing tunnel setup. | |
(4) [eap] = ok | |
(4) ? elsif (Airespace-Wlan-Id == 3 || Airespace-Wlan-Id == 4) | |
(4) ? elsif (Airespace-Wlan-Id == 3 || Airespace-Wlan-Id == 4) -> FALSE | |
(4) Found Auth-Type = EAP | |
(4) # Executing group from file /srv/freeradius/etc/raddb/sites-enabled/hefr | |
(4) group authenticate { | |
(4) - entering group authenticate {...} | |
(4) eap : Expiring EAP session with state 0xd6bf5df5d5b94439 | |
(4) eap : Finished EAP session with state 0xd6bf5df5d5b94439 | |
(4) eap : Previous EAP request found for state 0xd6bf5df5d5b94439, released from the list | |
(4) eap : Peer sent PEAP (25) | |
(4) eap : EAP PEAP (25) | |
(4) eap : Calling eap_peap to process EAP data | |
(4) eap_peap : processing EAP-TLS | |
TLS Length 326 | |
(4) eap_peap : Length Included | |
(4) eap_peap : eaptls_verify returned 11 | |
(4) eap_peap : <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange | |
(4) eap_peap : TLS_accept: SSLv3 read client key exchange A | |
(4) eap_peap : <<< TLS 1.0 ChangeCipherSpec [length 0001] | |
(4) eap_peap : <<< TLS 1.0 Handshake [length 0010], Finished | |
(4) eap_peap : TLS_accept: SSLv3 read finished A | |
(4) eap_peap : >>> TLS 1.0 ChangeCipherSpec [length 0001] | |
(4) eap_peap : TLS_accept: SSLv3 write change cipher spec A | |
(4) eap_peap : >>> TLS 1.0 Handshake [length 0010], Finished | |
(4) eap_peap : TLS_accept: SSLv3 write finished A | |
(4) eap_peap : TLS_accept: SSLv3 flush data | |
SSL: adding session 2e4d29941698a934c07df3daaa9a121741d863190b8e9dbc0dcbe34abeef81d5 to cache | |
(4) eap_peap : (other): SSL negotiation finished successfully | |
SSL Connection Established | |
(4) eap_peap : eaptls_process returned 13 | |
(4) eap_peap : FR_TLS_HANDLED | |
(4) eap : New EAP session, adding 'State' attribute to reply 0xd6bf5df5d2b84439 | |
(4) [eap] = handled | |
Sending Access-Challenge of id 150 from 0.0.0.0 port 1812 to 000.00.157.2 port 32768 | |
EAP-Message = 0x0107004119001403010001011603010030471fe2086c3f717c864f25bddcf7a8dbb52c5eebbeb0707bdaf662d2c8e372dc12aafadb4463ca98cf176dcadedf4a36 | |
Message-Authenticator = 0x00000000000000000000000000000000 | |
State = 0xd6bf5df5d2b84439f1739a59943e5377 | |
(4) Finished request 4. | |
Waking up in 0.2 seconds. | |
rad_recv: Access-Request packet from host 000.00.157.2 port 32768, id=151, length=262 | |
User-Name = 'SOFR\\masked-uid' | |
Calling-Station-Id = '00-24-d7-9b-37-a4' | |
Called-Station-Id = '00-14-1b-b5-2e-70:SECURE-HEFR-2' | |
NAS-Port = 13 | |
Cisco-AVPair = 'audit-session-id=a0629d02000000e851e7b6d1' | |
NAS-IP-Address = 000.00.157.2 | |
NAS-Identifier = 'wlc.per80-EAP' | |
Airespace-Wlan-Id = 1 | |
Service-Type = Framed-User | |
Framed-MTU = 1300 | |
NAS-Port-Type = Wireless-802.11 | |
Tunnel-Type:0 = VLAN | |
Tunnel-Medium-Type:0 = IEEE-802 | |
Tunnel-Private-Group-Id:0 = '112' | |
EAP-Message = 0x020700061900 | |
State = 0xd6bf5df5d2b84439f1739a59943e5377 | |
Message-Authenticator = 0x2381bf9f6d5d95fa69e47fbaabe2a619 | |
(5) # Executing section authorize from file /srv/freeradius/etc/raddb/sites-enabled/hefr | |
(5) group authorize { | |
(5) - entering group authorize {...} | |
(5) ? if (NAS-Identifier =~ /.*-EAP$/) | |
(5) ? if (NAS-Identifier =~ /.*-EAP$/) -> TRUE | |
(5) if (NAS-Identifier =~ /.*-EAP$/) { | |
(5) - entering if (NAS-Identifier =~ /.*-EAP$/) {...} | |
(5) policy permit_only_eap { | |
(5) - entering policy permit_only_eap {...} | |
(5) ? if (!EAP-Message) | |
(5) ? if (!EAP-Message) -> FALSE | |
(5) - policy permit_only_eap returns notfound | |
(5) - if (NAS-Identifier =~ /.*-EAP$/) returns notfound | |
(5) policy rewrite_called_station_id { | |
(5) - entering policy rewrite_called_station_id {...} | |
(5) ? if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) | |
(5) ? if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) -> TRUE | |
(5) if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) { | |
(5) - entering if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) {...} | |
(5) update request { | |
(5) expand: "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" -> '00-14-1b-b5-2e-70' | |
(5) Called-Station-Id := "00-14-1b-b5-2e-70" | |
(5) } # update request = notfound | |
(5) ? if ("%{8}") | |
(5) expand: "%{8}" -> 'SECURE-HEFR-2' | |
(5) ? if ("%{8}") -> TRUE | |
(5) if ("%{8}") { | |
(5) - entering if ("%{8}") {...} | |
(5) update request { | |
(5) expand: "%{8}" -> 'SECURE-HEFR-2' | |
(5) Called-Station-SSID := "SECURE-HEFR-2" | |
(5) } # update request = notfound | |
(5) - if ("%{8}") returns notfound | |
(5) [updated] = updated | |
(5) - if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) returns updated | |
(5) ... skipping else for request 5: Preceding "if" was taken | |
(5) - policy rewrite_called_station_id returns updated | |
(5) policy rewrite_calling_station_id { | |
(5) - entering policy rewrite_calling_station_id {...} | |
(5) ? if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) | |
(5) ? if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) -> TRUE | |
(5) if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) { | |
(5) - entering if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) {...} | |
(5) update request { | |
(5) expand: "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" -> '00-24-d7-9b-37-a4' | |
(5) Calling-Station-Id := "00-24-d7-9b-37-a4" | |
(5) } # update request = updated | |
(5) [updated] = updated | |
(5) - if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) returns updated | |
(5) ... skipping else for request 5: Preceding "if" was taken | |
(5) - policy rewrite_calling_station_id returns updated | |
(5) auth_log : expand: "/srv/freeradius/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" -> '/srv/freeradius/var/log/radacct/000.00.157.2/auth-detail-20130718' | |
(5) auth_log : /srv/freeradius/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /srv/freeradius/var/log/radacct/000.00.157.2/auth-detail-20130718 | |
(5) auth_log : expand: "%t" -> 'Thu Jul 18 11:35:14 2013' | |
(5) [auth_log] = ok | |
(5) ? if ("%{client:location}") | |
(5) expand: "%{client:location}" -> 'RORG-HEFR' | |
(5) ? if ("%{client:location}") -> TRUE | |
(5) if ("%{client:location}") { | |
(5) - entering if ("%{client:location}") {...} | |
(5) update request { | |
(5) expand: "%{client:location}" -> 'RORG-HEFR' | |
(5) HESSO-Location := "RORG-HEFR" | |
(5) } # update request = ok | |
(5) - if ("%{client:location}") returns ok | |
(5) ntdomain : Looking up realm "SOFR" for User-Name = "SOFR\masked-uid" | |
(5) ntdomain : Found realm "SOFR" | |
(5) ntdomain : Adding Realm = "SOFR" | |
(5) ntdomain : Authentication realm is LOCAL. | |
(5) [ntdomain] = ok | |
(5) suffix : Request already has destination realm set. Ignoring. | |
(5) [suffix] = ok | |
(5) ? if (Realm == 'NULL' && Called-Station-SSID != 'SECURE-HEFR-2') | |
(5) ? if (Realm == 'NULL' && Called-Station-SSID != 'SECURE-HEFR-2') -> FALSE | |
(5) eap : EAP packet type response id 7 length 6 | |
(5) eap : Continuing tunnel setup. | |
(5) [eap] = ok | |
(5) ? elsif (Airespace-Wlan-Id == 3 || Airespace-Wlan-Id == 4) | |
(5) ? elsif (Airespace-Wlan-Id == 3 || Airespace-Wlan-Id == 4) -> FALSE | |
(5) Found Auth-Type = EAP | |
(5) # Executing group from file /srv/freeradius/etc/raddb/sites-enabled/hefr | |
(5) group authenticate { | |
(5) - entering group authenticate {...} | |
(5) eap : Expiring EAP session with state 0xd6bf5df5d2b84439 | |
(5) eap : Finished EAP session with state 0xd6bf5df5d2b84439 | |
(5) eap : Previous EAP request found for state 0xd6bf5df5d2b84439, released from the list | |
(5) eap : Peer sent PEAP (25) | |
(5) eap : EAP PEAP (25) | |
(5) eap : Calling eap_peap to process EAP data | |
(5) eap_peap : processing EAP-TLS | |
(5) eap_peap : Received TLS ACK | |
(5) eap_peap : Received TLS ACK | |
(5) eap_peap : ACK handshake is finished | |
(5) eap_peap : eaptls_verify returned 3 | |
(5) eap_peap : eaptls_process returned 3 | |
(5) eap_peap : FR_TLS_SUCCESS | |
(5) eap_peap : Session established. Decoding tunneled attributes. | |
(5) eap_peap : Peap state TUNNEL ESTABLISHED | |
(5) eap : New EAP session, adding 'State' attribute to reply 0xd6bf5df5d3b74439 | |
(5) [eap] = handled | |
Sending Access-Challenge of id 151 from 0.0.0.0 port 1812 to 000.00.157.2 port 32768 | |
EAP-Message = 0x0108002b190017030100203eacbc449c366d071aad24761568b98a42a17838dbb440aea2d1712d9f9ab879 | |
Message-Authenticator = 0x00000000000000000000000000000000 | |
State = 0xd6bf5df5d3b74439f1739a59943e5377 | |
(5) Finished request 5. | |
Waking up in 0.2 seconds. | |
rad_recv: Access-Request packet from host 000.00.157.2 port 32768, id=152, length=315 | |
User-Name = 'SOFR\\masked-uid' | |
Calling-Station-Id = '00-24-d7-9b-37-a4' | |
Called-Station-Id = '00-14-1b-b5-2e-70:SECURE-HEFR-2' | |
NAS-Port = 13 | |
Cisco-AVPair = 'audit-session-id=a0629d02000000e851e7b6d1' | |
NAS-IP-Address = 000.00.157.2 | |
NAS-Identifier = 'wlc.per80-EAP' | |
Airespace-Wlan-Id = 1 | |
Service-Type = Framed-User | |
Framed-MTU = 1300 | |
NAS-Port-Type = Wireless-802.11 | |
Tunnel-Type:0 = VLAN | |
Tunnel-Medium-Type:0 = IEEE-802 | |
Tunnel-Private-Group-Id:0 = '112' | |
EAP-Message = 0x0208003b19001703010030b482c35042acda6ad9fc1026b3658ea3489a06ae243be29e82abfec2ade5ffbe5a553e65349391cbc48a8c76a84d944d | |
State = 0xd6bf5df5d3b74439f1739a59943e5377 | |
Message-Authenticator = 0xe93ef0a9876bbb6cc6d59fe31de084a6 | |
(6) # Executing section authorize from file /srv/freeradius/etc/raddb/sites-enabled/hefr | |
(6) group authorize { | |
(6) - entering group authorize {...} | |
(6) ? if (NAS-Identifier =~ /.*-EAP$/) | |
(6) ? if (NAS-Identifier =~ /.*-EAP$/) -> TRUE | |
(6) if (NAS-Identifier =~ /.*-EAP$/) { | |
(6) - entering if (NAS-Identifier =~ /.*-EAP$/) {...} | |
(6) policy permit_only_eap { | |
(6) - entering policy permit_only_eap {...} | |
(6) ? if (!EAP-Message) | |
(6) ? if (!EAP-Message) -> FALSE | |
(6) - policy permit_only_eap returns notfound | |
(6) - if (NAS-Identifier =~ /.*-EAP$/) returns notfound | |
(6) policy rewrite_called_station_id { | |
(6) - entering policy rewrite_called_station_id {...} | |
(6) ? if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) | |
(6) ? if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) -> TRUE | |
(6) if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) { | |
(6) - entering if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) {...} | |
(6) update request { | |
(6) expand: "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" -> '00-14-1b-b5-2e-70' | |
(6) Called-Station-Id := "00-14-1b-b5-2e-70" | |
(6) } # update request = notfound | |
(6) ? if ("%{8}") | |
(6) expand: "%{8}" -> 'SECURE-HEFR-2' | |
(6) ? if ("%{8}") -> TRUE | |
(6) if ("%{8}") { | |
(6) - entering if ("%{8}") {...} | |
(6) update request { | |
(6) expand: "%{8}" -> 'SECURE-HEFR-2' | |
(6) Called-Station-SSID := "SECURE-HEFR-2" | |
(6) } # update request = notfound | |
(6) - if ("%{8}") returns notfound | |
(6) [updated] = updated | |
(6) - if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) returns updated | |
(6) ... skipping else for request 6: Preceding "if" was taken | |
(6) - policy rewrite_called_station_id returns updated | |
(6) policy rewrite_calling_station_id { | |
(6) - entering policy rewrite_calling_station_id {...} | |
(6) ? if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) | |
(6) ? if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) -> TRUE | |
(6) if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) { | |
(6) - entering if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) {...} | |
(6) update request { | |
(6) expand: "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" -> '00-24-d7-9b-37-a4' | |
(6) Calling-Station-Id := "00-24-d7-9b-37-a4" | |
(6) } # update request = updated | |
(6) [updated] = updated | |
(6) - if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) returns updated | |
(6) ... skipping else for request 6: Preceding "if" was taken | |
(6) - policy rewrite_calling_station_id returns updated | |
(6) auth_log : expand: "/srv/freeradius/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" -> '/srv/freeradius/var/log/radacct/000.00.157.2/auth-detail-20130718' | |
(6) auth_log : /srv/freeradius/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /srv/freeradius/var/log/radacct/000.00.157.2/auth-detail-20130718 | |
(6) auth_log : expand: "%t" -> 'Thu Jul 18 11:35:14 2013' | |
(6) [auth_log] = ok | |
(6) ? if ("%{client:location}") | |
(6) expand: "%{client:location}" -> 'RORG-HEFR' | |
(6) ? if ("%{client:location}") -> TRUE | |
(6) if ("%{client:location}") { | |
(6) - entering if ("%{client:location}") {...} | |
(6) update request { | |
(6) expand: "%{client:location}" -> 'RORG-HEFR' | |
(6) HESSO-Location := "RORG-HEFR" | |
(6) } # update request = ok | |
(6) - if ("%{client:location}") returns ok | |
(6) ntdomain : Looking up realm "SOFR" for User-Name = "SOFR\masked-uid" | |
(6) ntdomain : Found realm "SOFR" | |
(6) ntdomain : Adding Realm = "SOFR" | |
(6) ntdomain : Authentication realm is LOCAL. | |
(6) [ntdomain] = ok | |
(6) suffix : Request already has destination realm set. Ignoring. | |
(6) [suffix] = ok | |
(6) ? if (Realm == 'NULL' && Called-Station-SSID != 'SECURE-HEFR-2') | |
(6) ? if (Realm == 'NULL' && Called-Station-SSID != 'SECURE-HEFR-2') -> FALSE | |
(6) eap : EAP packet type response id 8 length 59 | |
(6) eap : Continuing tunnel setup. | |
(6) [eap] = ok | |
(6) ? elsif (Airespace-Wlan-Id == 3 || Airespace-Wlan-Id == 4) | |
(6) ? elsif (Airespace-Wlan-Id == 3 || Airespace-Wlan-Id == 4) -> FALSE | |
(6) Found Auth-Type = EAP | |
(6) # Executing group from file /srv/freeradius/etc/raddb/sites-enabled/hefr | |
(6) group authenticate { | |
(6) - entering group authenticate {...} | |
(6) eap : Expiring EAP session with state 0xd6bf5df5d3b74439 | |
(6) eap : Finished EAP session with state 0xd6bf5df5d3b74439 | |
(6) eap : Previous EAP request found for state 0xd6bf5df5d3b74439, released from the list | |
(6) eap : Peer sent PEAP (25) | |
(6) eap : EAP PEAP (25) | |
(6) eap : Calling eap_peap to process EAP data | |
(6) eap_peap : processing EAP-TLS | |
(6) eap_peap : eaptls_verify returned 7 | |
(6) eap_peap : Done initial handshake | |
(6) eap_peap : eaptls_process returned 7 | |
(6) eap_peap : FR_TLS_OK | |
(6) eap_peap : Session established. Decoding tunneled attributes. | |
(6) eap_peap : Peap state WAITING FOR INNER IDENTITY | |
(6) eap_peap : Identity - SOFR\masked-uid | |
(6) eap_peap : Got inner identity 'SOFR\masked-uid' | |
(6) eap_peap : Setting default EAP type for tunneled EAP session. | |
(6) eap_peap : Got tunneled request | |
EAP-Message = 0x0208001a01534f46525c6f6c69766965722e626579747269736f | |
server eduroam { | |
(6) eap_peap : Setting User-Name to SOFR\masked-uid | |
Sending tunneled request | |
EAP-Message = 0x0208001a01534f46525c6f6c69766965722e626579747269736f | |
FreeRADIUS-Proxied-To = 127.0.0.1 | |
User-Name = 'SOFR\\masked-uid' | |
Calling-Station-Id = '00-24-d7-9b-37-a4' | |
Called-Station-Id = '00-14-1b-b5-2e-70' | |
NAS-Port = 13 | |
NAS-IP-Address = 000.00.157.2 | |
NAS-Identifier = 'wlc.per80-EAP' | |
Service-Type = Framed-User | |
Framed-MTU = 1300 | |
NAS-Port-Type = Wireless-802.11 | |
Tunnel-Type:0 = VLAN | |
Tunnel-Medium-Type:0 = IEEE-802 | |
Tunnel-Private-Group-Id:0 = '112' | |
HESSO-Location = 'RORG-HEFR' | |
server secure-hefr-inner-tunnel { | |
(6) # Executing section authorize from file /srv/freeradius/etc/raddb/sites-enabled/secure-hefr-inner-tunnel | |
(6) group authorize { | |
(6) - entering group authorize {...} | |
(6) [mschap] = noop | |
(6) ntdomain : Looking up realm "SOFR" for User-Name = "SOFR\masked-uid" | |
(6) ntdomain : Found realm "SOFR" | |
(6) ntdomain : Adding Realm = "SOFR" | |
(6) ntdomain : Authentication realm is LOCAL. | |
(6) [ntdomain] = ok | |
(6) update control { | |
(6) Proxy-To-Realm := 'LOCAL' | |
(6) } # update control = ok | |
(6) ? if (User-Name =~ /SOFR.(.*)$/) | |
(6) ? if (User-Name =~ /SOFR.(.*)$/) -> TRUE | |
(6) if (User-Name =~ /SOFR.(.*)$/) { | |
(6) - entering if (User-Name =~ /SOFR.(.*)$/) {...} | |
(6) update request { | |
(6) expand: "%{1}" -> 'masked-uid' | |
(6) Stripped-User-Name := "masked-uid" | |
(6) } # update request = ok | |
(6) - if (User-Name =~ /SOFR.(.*)$/) returns ok | |
(6) eap : EAP packet type response id 8 length 26 | |
(6) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize | |
(6) [eap] = ok | |
(6) Found Auth-Type = EAP | |
(6) # Executing group from file /srv/freeradius/etc/raddb/sites-enabled/secure-hefr-inner-tunnel | |
(6) group authenticate { | |
(6) - entering group authenticate {...} | |
(6) eap : Peer sent Identity (1) | |
(6) eap : Calling eap_mschapv2 to process EAP data | |
(6) eap_mschapv2 : Issuing Challenge | |
(6) eap : New EAP session, adding 'State' attribute to reply 0x09e69a9109ef80a5 | |
(6) [eap] = handled | |
} # server secure-hefr-inner-tunnel | |
(6) eap_peap : Got tunneled reply code 11 | |
EAP-Message = 0x0109002f1a0109002a102b01ed9f6f07fb661070a2e83c9f3508534f46525c6f6c69766965722e626579747269736f | |
Message-Authenticator = 0x00000000000000000000000000000000 | |
State = 0x09e69a9109ef80a53eb6cc89b8b9ec91 | |
(6) eap_peap : Got tunneled reply RADIUS code 11 | |
EAP-Message = 0x0109002f1a0109002a102b01ed9f6f07fb661070a2e83c9f3508534f46525c6f6c69766965722e626579747269736f | |
Message-Authenticator = 0x00000000000000000000000000000000 | |
State = 0x09e69a9109ef80a53eb6cc89b8b9ec91 | |
(6) eap_peap : Got tunneled Access-Challenge | |
(6) eap : New EAP session, adding 'State' attribute to reply 0xd6bf5df5d0b64439 | |
(6) [eap] = handled | |
Sending Access-Challenge of id 152 from 0.0.0.0 port 1812 to 000.00.157.2 port 32768 | |
EAP-Message = 0x0109007b19001703010070a040db3bcbf2a098fb8a5d86b9fdb4da157eec97b1a09480fdcf4406bd0d8c4159b69230677921c8d99d3288159b901115ba26a25d33c3c2e131ecd6487d2c89bc6c6841667677166637ddb7c8675c2a6d0de7d2ea41e079f1c8c06230a6b48125cfa466a70550cdb61d32b889a50f75 | |
Message-Authenticator = 0x00000000000000000000000000000000 | |
State = 0xd6bf5df5d0b64439f1739a59943e5377 | |
(6) Finished request 6. | |
Waking up in 0.2 seconds. | |
rad_recv: Access-Request packet from host 000.00.157.2 port 32768, id=153, length=379 | |
User-Name = 'SOFR\\masked-uid' | |
Calling-Station-Id = '00-24-d7-9b-37-a4' | |
Called-Station-Id = '00-14-1b-b5-2e-70:SECURE-HEFR-2' | |
NAS-Port = 13 | |
Cisco-AVPair = 'audit-session-id=a0629d02000000e851e7b6d1' | |
NAS-IP-Address = 000.00.157.2 | |
NAS-Identifier = 'wlc.per80-EAP' | |
Airespace-Wlan-Id = 1 | |
Service-Type = Framed-User | |
Framed-MTU = 1300 | |
NAS-Port-Type = Wireless-802.11 | |
Tunnel-Type:0 = VLAN | |
Tunnel-Medium-Type:0 = IEEE-802 | |
Tunnel-Private-Group-Id:0 = '112' | |
EAP-Message = 0x0209007b190017030100709b340c93950cbb35c15bc420978f2d356cc1cf33052754dd1df01cb60bfc4e412ac34e7c69e962caf0d3908e3ec916c1e85c990530b04bd463b39408d0203dc2ac73b2a915143d154b0648098a6ce6d65ac2f67bd9b0b54cfb3e5b781f06b1be22d1582f4db08e920faaac0055aa1528 | |
State = 0xd6bf5df5d0b64439f1739a59943e5377 | |
Message-Authenticator = 0xa4125b81d15aeedcaaa65391e731725d | |
(7) # Executing section authorize from file /srv/freeradius/etc/raddb/sites-enabled/hefr | |
(7) group authorize { | |
(7) - entering group authorize {...} | |
(7) ? if (NAS-Identifier =~ /.*-EAP$/) | |
(7) ? if (NAS-Identifier =~ /.*-EAP$/) -> TRUE | |
(7) if (NAS-Identifier =~ /.*-EAP$/) { | |
(7) - entering if (NAS-Identifier =~ /.*-EAP$/) {...} | |
(7) policy permit_only_eap { | |
(7) - entering policy permit_only_eap {...} | |
(7) ? if (!EAP-Message) | |
(7) ? if (!EAP-Message) -> FALSE | |
(7) - policy permit_only_eap returns notfound | |
(7) - if (NAS-Identifier =~ /.*-EAP$/) returns notfound | |
(7) policy rewrite_called_station_id { | |
(7) - entering policy rewrite_called_station_id {...} | |
(7) ? if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) | |
(7) ? if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) -> TRUE | |
(7) if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) { | |
(7) - entering if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) {...} | |
(7) update request { | |
(7) expand: "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" -> '00-14-1b-b5-2e-70' | |
(7) Called-Station-Id := "00-14-1b-b5-2e-70" | |
(7) } # update request = notfound | |
(7) ? if ("%{8}") | |
(7) expand: "%{8}" -> 'SECURE-HEFR-2' | |
(7) ? if ("%{8}") -> TRUE | |
(7) if ("%{8}") { | |
(7) - entering if ("%{8}") {...} | |
(7) update request { | |
(7) expand: "%{8}" -> 'SECURE-HEFR-2' | |
(7) Called-Station-SSID := "SECURE-HEFR-2" | |
(7) } # update request = notfound | |
(7) - if ("%{8}") returns notfound | |
(7) [updated] = updated | |
(7) - if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) returns updated | |
(7) ... skipping else for request 7: Preceding "if" was taken | |
(7) - policy rewrite_called_station_id returns updated | |
(7) policy rewrite_calling_station_id { | |
(7) - entering policy rewrite_calling_station_id {...} | |
(7) ? if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) | |
(7) ? if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) -> TRUE | |
(7) if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) { | |
(7) - entering if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) {...} | |
(7) update request { | |
(7) expand: "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" -> '00-24-d7-9b-37-a4' | |
(7) Calling-Station-Id := "00-24-d7-9b-37-a4" | |
(7) } # update request = updated | |
(7) [updated] = updated | |
(7) - if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) returns updated | |
(7) ... skipping else for request 7: Preceding "if" was taken | |
(7) - policy rewrite_calling_station_id returns updated | |
(7) auth_log : expand: "/srv/freeradius/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" -> '/srv/freeradius/var/log/radacct/000.00.157.2/auth-detail-20130718' | |
(7) auth_log : /srv/freeradius/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /srv/freeradius/var/log/radacct/000.00.157.2/auth-detail-20130718 | |
(7) auth_log : expand: "%t" -> 'Thu Jul 18 11:35:14 2013' | |
(7) [auth_log] = ok | |
(7) ? if ("%{client:location}") | |
(7) expand: "%{client:location}" -> 'RORG-HEFR' | |
(7) ? if ("%{client:location}") -> TRUE | |
(7) if ("%{client:location}") { | |
(7) - entering if ("%{client:location}") {...} | |
(7) update request { | |
(7) expand: "%{client:location}" -> 'RORG-HEFR' | |
(7) HESSO-Location := "RORG-HEFR" | |
(7) } # update request = ok | |
(7) - if ("%{client:location}") returns ok | |
(7) ntdomain : Looking up realm "SOFR" for User-Name = "SOFR\masked-uid" | |
(7) ntdomain : Found realm "SOFR" | |
(7) ntdomain : Adding Realm = "SOFR" | |
(7) ntdomain : Authentication realm is LOCAL. | |
(7) [ntdomain] = ok | |
(7) suffix : Request already has destination realm set. Ignoring. | |
(7) [suffix] = ok | |
(7) ? if (Realm == 'NULL' && Called-Station-SSID != 'SECURE-HEFR-2') | |
(7) ? if (Realm == 'NULL' && Called-Station-SSID != 'SECURE-HEFR-2') -> FALSE | |
(7) eap : EAP packet type response id 9 length 123 | |
(7) eap : Continuing tunnel setup. | |
(7) [eap] = ok | |
(7) ? elsif (Airespace-Wlan-Id == 3 || Airespace-Wlan-Id == 4) | |
(7) ? elsif (Airespace-Wlan-Id == 3 || Airespace-Wlan-Id == 4) -> FALSE | |
(7) Found Auth-Type = EAP | |
(7) # Executing group from file /srv/freeradius/etc/raddb/sites-enabled/hefr | |
(7) group authenticate { | |
(7) - entering group authenticate {...} | |
(7) eap : Expiring EAP session with state 0x09e69a9109ef80a5 | |
(7) eap : Finished EAP session with state 0xd6bf5df5d0b64439 | |
(7) eap : Previous EAP request found for state 0xd6bf5df5d0b64439, released from the list | |
(7) eap : Peer sent PEAP (25) | |
(7) eap : EAP PEAP (25) | |
(7) eap : Calling eap_peap to process EAP data | |
(7) eap_peap : processing EAP-TLS | |
(7) eap_peap : eaptls_verify returned 7 | |
(7) eap_peap : Done initial handshake | |
(7) eap_peap : eaptls_process returned 7 | |
(7) eap_peap : FR_TLS_OK | |
(7) eap_peap : Session established. Decoding tunneled attributes. | |
(7) eap_peap : Peap state phase2 | |
(7) eap_peap : EAP type MSCHAPv2 (26) | |
(7) eap_peap : Got tunneled request | |
EAP-Message = 0x020900501a0209004b31dcd8124da2cd8b20ae2cc2d55ea81aeb000000000000000096ee0f6b7bd66243d5a0af319068873ce7881e4f7b0250bd00534f46525c6f6c69766965722e626579747269736f | |
server eduroam { | |
(7) eap_peap : Setting User-Name to SOFR\masked-uid | |
Sending tunneled request | |
EAP-Message = 0x020900501a0209004b31dcd8124da2cd8b20ae2cc2d55ea81aeb000000000000000096ee0f6b7bd66243d5a0af319068873ce7881e4f7b0250bd00534f46525c6f6c69766965722e626579747269736f | |
FreeRADIUS-Proxied-To = 127.0.0.1 | |
User-Name = 'SOFR\\masked-uid' | |
State = 0x09e69a9109ef80a53eb6cc89b8b9ec91 | |
Calling-Station-Id = '00-24-d7-9b-37-a4' | |
Called-Station-Id = '00-14-1b-b5-2e-70' | |
NAS-Port = 13 | |
NAS-IP-Address = 000.00.157.2 | |
NAS-Identifier = 'wlc.per80-EAP' | |
Service-Type = Framed-User | |
Framed-MTU = 1300 | |
NAS-Port-Type = Wireless-802.11 | |
Tunnel-Type:0 = VLAN | |
Tunnel-Medium-Type:0 = IEEE-802 | |
Tunnel-Private-Group-Id:0 = '112' | |
HESSO-Location = 'RORG-HEFR' | |
server secure-hefr-inner-tunnel { | |
(7) # Executing section authorize from file /srv/freeradius/etc/raddb/sites-enabled/secure-hefr-inner-tunnel | |
(7) group authorize { | |
(7) - entering group authorize {...} | |
(7) [mschap] = noop | |
(7) ntdomain : Looking up realm "SOFR" for User-Name = "SOFR\masked-uid" | |
(7) ntdomain : Found realm "SOFR" | |
(7) ntdomain : Adding Realm = "SOFR" | |
(7) ntdomain : Authentication realm is LOCAL. | |
(7) [ntdomain] = ok | |
(7) update control { | |
(7) Proxy-To-Realm := 'LOCAL' | |
(7) } # update control = ok | |
(7) ? if (User-Name =~ /SOFR.(.*)$/) | |
(7) ? if (User-Name =~ /SOFR.(.*)$/) -> TRUE | |
(7) if (User-Name =~ /SOFR.(.*)$/) { | |
(7) - entering if (User-Name =~ /SOFR.(.*)$/) {...} | |
(7) update request { | |
(7) expand: "%{1}" -> 'masked-uid' | |
(7) Stripped-User-Name := "masked-uid" | |
(7) } # update request = ok | |
(7) - if (User-Name =~ /SOFR.(.*)$/) returns ok | |
(7) eap : EAP packet type response id 9 length 80 | |
(7) eap : No EAP Start, assuming it's an on-going EAP conversation | |
(7) [eap] = updated | |
rlm_ldap (ldap): Reserved connection (4) | |
(7) ldap : expand: "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" -> '(uid=masked-uid)' | |
(7) ldap : expand: "ou=people,o=hefr" -> 'ou=people,o=hefr' | |
(7) ldap : Performing search in 'ou=people,o=hefr' with filter '(uid=masked-uid)' | |
(7) ldap : Waiting for search result... | |
(7) ldap : User object found at DN "cn=masked-uid,ou=courant,ou=people,o=hefr" | |
(7) ldap : Added eDirectory password in check items as Cleartext-Password = masked-password | |
(7) ldap : Binding as user for eDirectory authorization checks | |
(7) ldap : Waiting for bind result... | |
(7) ldap : Bind successful | |
(7) ldap : Bind as user "cn=masked-uid,ou=courant,ou=people,o=hefr" was successful | |
(7) ldap : reply:HESSO-Role-Raw := '31935762-440774439#RORG-HEFR-EIFR-INTR-INFO#EMP#COL' | |
rlm_ldap (ldap): Released connection (4) | |
rlm_ldap (ldap): Closing connection (0): Too many free connections (5 > 3) | |
(7) [ldap] = ok | |
(7) ? if ("%{debug_attr: reply}" == "") | |
(7) Attributes matching "reply" | |
(7) reply:HESSO-Role-Raw = '31935762-440774439#RORG-HEFR-EIFR-INTR-INFO#EMP#COL' | |
(7) expand: "%{debug_attr: reply}" -> '' | |
(7) ? if ("%{debug_attr: reply}" == "") -> TRUE | |
(7) if ("%{debug_attr: reply}" == "") { | |
(7) - entering if ("%{debug_attr: reply}" == "") {...} | |
(7) [noop] = noop | |
(7) - if ("%{debug_attr: reply}" == "") returns updated | |
(7) WARNING: pap : Auth-Type already set. Not setting to PAP | |
(7) [pap] = noop | |
(7) Found Auth-Type = EAP | |
(7) # Executing group from file /srv/freeradius/etc/raddb/sites-enabled/secure-hefr-inner-tunnel | |
(7) group authenticate { | |
(7) - entering group authenticate {...} | |
(7) eap : Expiring EAP session with state 0x09e69a9109ef80a5 | |
(7) eap : Finished EAP session with state 0x09e69a9109ef80a5 | |
(7) eap : Previous EAP request found for state 0x09e69a9109ef80a5, released from the list | |
(7) eap : Peer sent MSCHAPv2 (26) | |
(7) eap : EAP MSCHAPv2 (26) | |
(7) eap : Calling eap_mschapv2 to process EAP data | |
(7) eap_mschapv2 : # Executing group from file /srv/freeradius/etc/raddb/sites-enabled/secure-hefr-inner-tunnel | |
(7) eap_mschapv2 : group MS-CHAP { | |
(7) eap_mschapv2 : - entering group MS-CHAP {...} | |
(7) mschap : Creating challenge hash with username: masked-uid | |
(7) mschap : Client is using MS-CHAPv2 for masked-uid, we need NT-Password | |
(7) mschap : adding MS-CHAPv2 MPPE keys | |
(7) [mschap] = ok | |
MSCHAP Success | |
(7) eap : New EAP session, adding 'State' attribute to reply 0x09e69a9108ec80a5 | |
(7) [eap] = handled | |
} # server secure-hefr-inner-tunnel | |
(7) eap_peap : Got tunneled reply code 11 | |
HESSO-Role-Raw = '31935762-440774439#RORG-HEFR-EIFR-INTR-INFO#EMP#COL' | |
EAP-Message = 0x010a00331a0309002e533d36463146433039463146453336333741373445433937393937313437334141344330324536364443 | |
Message-Authenticator = 0x00000000000000000000000000000000 | |
State = 0x09e69a9108ec80a53eb6cc89b8b9ec91 | |
(7) eap_peap : Got tunneled reply RADIUS code 11 | |
HESSO-Role-Raw = '31935762-440774439#RORG-HEFR-EIFR-INTR-INFO#EMP#COL' | |
EAP-Message = 0x010a00331a0309002e533d36463146433039463146453336333741373445433937393937313437334141344330324536364443 | |
Message-Authenticator = 0x00000000000000000000000000000000 | |
State = 0x09e69a9108ec80a53eb6cc89b8b9ec91 | |
(7) eap_peap : Got tunneled Access-Challenge | |
(7) eap : New EAP session, adding 'State' attribute to reply 0xd6bf5df5d1b54439 | |
(7) [eap] = handled | |
Sending Access-Challenge of id 153 from 0.0.0.0 port 1812 to 000.00.157.2 port 32768 | |
EAP-Message = 0x010a008b1900170301008067c5b68a1764001fb2a24e85ee4e517173085427f6d163b0da7f90e662d76c88c4da3fd87a90b0ef07f29f34a5579a36c610ce3ee8e3f5a61b1859371303f0f1b3bc406ec6cf0defe8d0c0bc8ac7c460f56e4e40dd464139e50d2daf0633de573112c64b7a9ea0d631f52c238ebb063f1510fc162953e06ab67b462a188f4022 | |
Message-Authenticator = 0x00000000000000000000000000000000 | |
State = 0xd6bf5df5d1b54439f1739a59943e5377 | |
(7) Finished request 7. | |
Waking up in 0.2 seconds. | |
rad_recv: Access-Request packet from host 000.00.157.2 port 32768, id=154, length=299 | |
User-Name = 'SOFR\\masked-uid' | |
Calling-Station-Id = '00-24-d7-9b-37-a4' | |
Called-Station-Id = '00-14-1b-b5-2e-70:SECURE-HEFR-2' | |
NAS-Port = 13 | |
Cisco-AVPair = 'audit-session-id=a0629d02000000e851e7b6d1' | |
NAS-IP-Address = 000.00.157.2 | |
NAS-Identifier = 'wlc.per80-EAP' | |
Airespace-Wlan-Id = 1 | |
Service-Type = Framed-User | |
Framed-MTU = 1300 | |
NAS-Port-Type = Wireless-802.11 | |
Tunnel-Type:0 = VLAN | |
Tunnel-Medium-Type:0 = IEEE-802 | |
Tunnel-Private-Group-Id:0 = '112' | |
EAP-Message = 0x020a002b190017030100204efe9d7bbe4638ea5737980d9ea5a5d7566eecb1879e8012f943526df0af7f09 | |
State = 0xd6bf5df5d1b54439f1739a59943e5377 | |
Message-Authenticator = 0xdce0b687ff8671ba8b12131dabef0d2e | |
(8) # Executing section authorize from file /srv/freeradius/etc/raddb/sites-enabled/hefr | |
(8) group authorize { | |
(8) - entering group authorize {...} | |
(8) ? if (NAS-Identifier =~ /.*-EAP$/) | |
(8) ? if (NAS-Identifier =~ /.*-EAP$/) -> TRUE | |
(8) if (NAS-Identifier =~ /.*-EAP$/) { | |
(8) - entering if (NAS-Identifier =~ /.*-EAP$/) {...} | |
(8) policy permit_only_eap { | |
(8) - entering policy permit_only_eap {...} | |
(8) ? if (!EAP-Message) | |
(8) ? if (!EAP-Message) -> FALSE | |
(8) - policy permit_only_eap returns notfound | |
(8) - if (NAS-Identifier =~ /.*-EAP$/) returns notfound | |
(8) policy rewrite_called_station_id { | |
(8) - entering policy rewrite_called_station_id {...} | |
(8) ? if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) | |
(8) ? if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) -> TRUE | |
(8) if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) { | |
(8) - entering if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) {...} | |
(8) update request { | |
(8) expand: "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" -> '00-14-1b-b5-2e-70' | |
(8) Called-Station-Id := "00-14-1b-b5-2e-70" | |
(8) } # update request = notfound | |
(8) ? if ("%{8}") | |
(8) expand: "%{8}" -> 'SECURE-HEFR-2' | |
(8) ? if ("%{8}") -> TRUE | |
(8) if ("%{8}") { | |
(8) - entering if ("%{8}") {...} | |
(8) update request { | |
(8) expand: "%{8}" -> 'SECURE-HEFR-2' | |
(8) Called-Station-SSID := "SECURE-HEFR-2" | |
(8) } # update request = notfound | |
(8) - if ("%{8}") returns notfound | |
(8) [updated] = updated | |
(8) - if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) returns updated | |
(8) ... skipping else for request 8: Preceding "if" was taken | |
(8) - policy rewrite_called_station_id returns updated | |
(8) policy rewrite_calling_station_id { | |
(8) - entering policy rewrite_calling_station_id {...} | |
(8) ? if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) | |
(8) ? if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) -> TRUE | |
(8) if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) { | |
(8) - entering if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) {...} | |
(8) update request { | |
(8) expand: "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" -> '00-24-d7-9b-37-a4' | |
(8) Calling-Station-Id := "00-24-d7-9b-37-a4" | |
(8) } # update request = updated | |
(8) [updated] = updated | |
(8) - if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) returns updated | |
(8) ... skipping else for request 8: Preceding "if" was taken | |
(8) - policy rewrite_calling_station_id returns updated | |
(8) auth_log : expand: "/srv/freeradius/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" -> '/srv/freeradius/var/log/radacct/000.00.157.2/auth-detail-20130718' | |
(8) auth_log : /srv/freeradius/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /srv/freeradius/var/log/radacct/000.00.157.2/auth-detail-20130718 | |
(8) auth_log : expand: "%t" -> 'Thu Jul 18 11:35:14 2013' | |
(8) [auth_log] = ok | |
(8) ? if ("%{client:location}") | |
(8) expand: "%{client:location}" -> 'RORG-HEFR' | |
(8) ? if ("%{client:location}") -> TRUE | |
(8) if ("%{client:location}") { | |
(8) - entering if ("%{client:location}") {...} | |
(8) update request { | |
(8) expand: "%{client:location}" -> 'RORG-HEFR' | |
(8) HESSO-Location := "RORG-HEFR" | |
(8) } # update request = ok | |
(8) - if ("%{client:location}") returns ok | |
(8) ntdomain : Looking up realm "SOFR" for User-Name = "SOFR\masked-uid" | |
(8) ntdomain : Found realm "SOFR" | |
(8) ntdomain : Adding Realm = "SOFR" | |
(8) ntdomain : Authentication realm is LOCAL. | |
(8) [ntdomain] = ok | |
(8) suffix : Request already has destination realm set. Ignoring. | |
(8) [suffix] = ok | |
(8) ? if (Realm == 'NULL' && Called-Station-SSID != 'SECURE-HEFR-2') | |
(8) ? if (Realm == 'NULL' && Called-Station-SSID != 'SECURE-HEFR-2') -> FALSE | |
(8) eap : EAP packet type response id 10 length 43 | |
(8) eap : Continuing tunnel setup. | |
(8) [eap] = ok | |
(8) ? elsif (Airespace-Wlan-Id == 3 || Airespace-Wlan-Id == 4) | |
(8) ? elsif (Airespace-Wlan-Id == 3 || Airespace-Wlan-Id == 4) -> FALSE | |
(8) Found Auth-Type = EAP | |
(8) # Executing group from file /srv/freeradius/etc/raddb/sites-enabled/hefr | |
(8) group authenticate { | |
(8) - entering group authenticate {...} | |
(8) eap : Expiring EAP session with state 0x09e69a9108ec80a5 | |
(8) eap : Finished EAP session with state 0xd6bf5df5d1b54439 | |
(8) eap : Previous EAP request found for state 0xd6bf5df5d1b54439, released from the list | |
(8) eap : Peer sent PEAP (25) | |
(8) eap : EAP PEAP (25) | |
(8) eap : Calling eap_peap to process EAP data | |
(8) eap_peap : processing EAP-TLS | |
(8) eap_peap : eaptls_verify returned 7 | |
(8) eap_peap : Done initial handshake | |
(8) eap_peap : eaptls_process returned 7 | |
(8) eap_peap : FR_TLS_OK | |
(8) eap_peap : Session established. Decoding tunneled attributes. | |
(8) eap_peap : Peap state phase2 | |
(8) eap_peap : EAP type MSCHAPv2 (26) | |
(8) eap_peap : Got tunneled request | |
EAP-Message = 0x020a00061a03 | |
server eduroam { | |
(8) eap_peap : Setting User-Name to SOFR\masked-uid | |
Sending tunneled request | |
EAP-Message = 0x020a00061a03 | |
FreeRADIUS-Proxied-To = 127.0.0.1 | |
User-Name = 'SOFR\\masked-uid' | |
State = 0x09e69a9108ec80a53eb6cc89b8b9ec91 | |
Calling-Station-Id = '00-24-d7-9b-37-a4' | |
Called-Station-Id = '00-14-1b-b5-2e-70' | |
NAS-Port = 13 | |
NAS-IP-Address = 000.00.157.2 | |
NAS-Identifier = 'wlc.per80-EAP' | |
Service-Type = Framed-User | |
Framed-MTU = 1300 | |
NAS-Port-Type = Wireless-802.11 | |
Tunnel-Type:0 = VLAN | |
Tunnel-Medium-Type:0 = IEEE-802 | |
Tunnel-Private-Group-Id:0 = '112' | |
HESSO-Location = 'RORG-HEFR' | |
server secure-hefr-inner-tunnel { | |
(8) # Executing section authorize from file /srv/freeradius/etc/raddb/sites-enabled/secure-hefr-inner-tunnel | |
(8) group authorize { | |
(8) - entering group authorize {...} | |
(8) [mschap] = noop | |
(8) ntdomain : Looking up realm "SOFR" for User-Name = "SOFR\masked-uid" | |
(8) ntdomain : Found realm "SOFR" | |
(8) ntdomain : Adding Realm = "SOFR" | |
(8) ntdomain : Authentication realm is LOCAL. | |
(8) [ntdomain] = ok | |
(8) update control { | |
(8) Proxy-To-Realm := 'LOCAL' | |
(8) } # update control = ok | |
(8) ? if (User-Name =~ /SOFR.(.*)$/) | |
(8) ? if (User-Name =~ /SOFR.(.*)$/) -> TRUE | |
(8) if (User-Name =~ /SOFR.(.*)$/) { | |
(8) - entering if (User-Name =~ /SOFR.(.*)$/) {...} | |
(8) update request { | |
(8) expand: "%{1}" -> 'masked-uid' | |
(8) Stripped-User-Name := "masked-uid" | |
(8) } # update request = ok | |
(8) - if (User-Name =~ /SOFR.(.*)$/) returns ok | |
(8) eap : EAP packet type response id 10 length 6 | |
(8) eap : EAP-MSCHAPV2 success, returning short-circuit ok | |
(8) [eap] = ok | |
(8) Found Auth-Type = EAP | |
(8) # Executing group from file /srv/freeradius/etc/raddb/sites-enabled/secure-hefr-inner-tunnel | |
(8) group authenticate { | |
(8) - entering group authenticate {...} | |
(8) eap : Expiring EAP session with state 0x09e69a9108ec80a5 | |
(8) eap : Finished EAP session with state 0x09e69a9108ec80a5 | |
(8) eap : Previous EAP request found for state 0x09e69a9108ec80a5, released from the list | |
(8) eap : Peer sent MSCHAPv2 (26) | |
(8) eap : EAP MSCHAPv2 (26) | |
(8) eap : Calling eap_mschapv2 to process EAP data | |
(8) eap : Freeing handler | |
(8) [eap] = ok | |
(8) # Executing section post-auth from file /srv/freeradius/etc/raddb/sites-enabled/secure-hefr-inner-tunnel | |
(8) group post-auth { | |
(8) - entering group post-auth {...} | |
(8) auth_log : expand: "/srv/freeradius/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" -> '/srv/freeradius/var/log/radacct/000.00.157.2/auth-detail-19700101' | |
(8) auth_log : /srv/freeradius/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /srv/freeradius/var/log/radacct/000.00.157.2/auth-detail-19700101 | |
(8) auth_log : expand: "%t" -> 'Thu Jan 1 01:00:00 1970' | |
(8) [auth_log] = ok | |
(8) policy wireless-policy { | |
(8) - entering policy wireless-policy {...} | |
(8) foreach reply:HESSO-Role-Raw { | |
(8) } # foreach reply:HESSO-Role-Raw = ok | |
(8) } # foreach reply:HESSO-Role-Raw = ok | |
(8) - policy wireless-policy returns ok | |
} # server secure-hefr-inner-tunnel | |
(8) eap_peap : Got tunneled reply code 2 | |
MS-MPPE-Encryption-Policy = Encryption-Allowed | |
MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed | |
MS-MPPE-Send-Key = 0x6db969e5fb5f0745ec08717ac16d8c3e | |
MS-MPPE-Recv-Key = 0x172bb98b1c777364dc9b118b7ca9fecb | |
EAP-Message = 0x030a0004 | |
Message-Authenticator = 0x00000000000000000000000000000000 | |
Stripped-User-Name = 'masked-uid' | |
(8) eap_peap : Got tunneled reply RADIUS code 2 | |
MS-MPPE-Encryption-Policy = Encryption-Allowed | |
MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed | |
MS-MPPE-Send-Key = 0x6db969e5fb5f0745ec08717ac16d8c3e | |
MS-MPPE-Recv-Key = 0x172bb98b1c777364dc9b118b7ca9fecb | |
EAP-Message = 0x030a0004 | |
Message-Authenticator = 0x00000000000000000000000000000000 | |
Stripped-User-Name = 'masked-uid' | |
(8) eap_peap : Tunneled authentication was successful. | |
(8) eap_peap : SUCCESS | |
(8) eap_peap : Saving tunneled attributes for later | |
(8) eap : New EAP session, adding 'State' attribute to reply 0xd6bf5df5deb44439 | |
(8) [eap] = handled | |
Sending Access-Challenge of id 154 from 0.0.0.0 port 1812 to 000.00.157.2 port 32768 | |
EAP-Message = 0x010b002b190017030100207b481ac6bea28302c1bb10e5078eecea5d2502ff0b421f5078b47fa27d70366d | |
Message-Authenticator = 0x00000000000000000000000000000000 | |
State = 0xd6bf5df5deb44439f1739a59943e5377 | |
(8) Finished request 8. | |
Waking up in 0.2 seconds. | |
rad_recv: Access-Request packet from host 000.00.157.2 port 32768, id=155, length=299 | |
User-Name = 'SOFR\\masked-uid' | |
Calling-Station-Id = '00-24-d7-9b-37-a4' | |
Called-Station-Id = '00-14-1b-b5-2e-70:SECURE-HEFR-2' | |
NAS-Port = 13 | |
Cisco-AVPair = 'audit-session-id=a0629d02000000e851e7b6d1' | |
NAS-IP-Address = 000.00.157.2 | |
NAS-Identifier = 'wlc.per80-EAP' | |
Airespace-Wlan-Id = 1 | |
Service-Type = Framed-User | |
Framed-MTU = 1300 | |
NAS-Port-Type = Wireless-802.11 | |
Tunnel-Type:0 = VLAN | |
Tunnel-Medium-Type:0 = IEEE-802 | |
Tunnel-Private-Group-Id:0 = '112' | |
EAP-Message = 0x020b002b190017030100201b290abec72376de1f2e08ee8b42d272a2c47b9b9c0f47a6c4ea1daf79e867c6 | |
State = 0xd6bf5df5deb44439f1739a59943e5377 | |
Message-Authenticator = 0x3f313abcebdfa01d2b2569fd70c28fd5 | |
(9) # Executing section authorize from file /srv/freeradius/etc/raddb/sites-enabled/hefr | |
(9) group authorize { | |
(9) - entering group authorize {...} | |
(9) ? if (NAS-Identifier =~ /.*-EAP$/) | |
(9) ? if (NAS-Identifier =~ /.*-EAP$/) -> TRUE | |
(9) if (NAS-Identifier =~ /.*-EAP$/) { | |
(9) - entering if (NAS-Identifier =~ /.*-EAP$/) {...} | |
(9) policy permit_only_eap { | |
(9) - entering policy permit_only_eap {...} | |
(9) ? if (!EAP-Message) | |
(9) ? if (!EAP-Message) -> FALSE | |
(9) - policy permit_only_eap returns notfound | |
(9) - if (NAS-Identifier =~ /.*-EAP$/) returns notfound | |
(9) policy rewrite_called_station_id { | |
(9) - entering policy rewrite_called_station_id {...} | |
(9) ? if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) | |
(9) ? if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) -> TRUE | |
(9) if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) { | |
(9) - entering if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) {...} | |
(9) update request { | |
(9) expand: "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" -> '00-14-1b-b5-2e-70' | |
(9) Called-Station-Id := "00-14-1b-b5-2e-70" | |
(9) } # update request = notfound | |
(9) ? if ("%{8}") | |
(9) expand: "%{8}" -> 'SECURE-HEFR-2' | |
(9) ? if ("%{8}") -> TRUE | |
(9) if ("%{8}") { | |
(9) - entering if ("%{8}") {...} | |
(9) update request { | |
(9) expand: "%{8}" -> 'SECURE-HEFR-2' | |
(9) Called-Station-SSID := "SECURE-HEFR-2" | |
(9) } # update request = notfound | |
(9) - if ("%{8}") returns notfound | |
(9) [updated] = updated | |
(9) - if (Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) returns updated | |
(9) ... skipping else for request 9: Preceding "if" was taken | |
(9) - policy rewrite_called_station_id returns updated | |
(9) policy rewrite_calling_station_id { | |
(9) - entering policy rewrite_calling_station_id {...} | |
(9) ? if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) | |
(9) ? if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) -> TRUE | |
(9) if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) { | |
(9) - entering if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) {...} | |
(9) update request { | |
(9) expand: "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" -> '00-24-d7-9b-37-a4' | |
(9) Calling-Station-Id := "00-24-d7-9b-37-a4" | |
(9) } # update request = updated | |
(9) [updated] = updated | |
(9) - if (Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) returns updated | |
(9) ... skipping else for request 9: Preceding "if" was taken | |
(9) - policy rewrite_calling_station_id returns updated | |
(9) auth_log : expand: "/srv/freeradius/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" -> '/srv/freeradius/var/log/radacct/000.00.157.2/auth-detail-20130718' | |
(9) auth_log : /srv/freeradius/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /srv/freeradius/var/log/radacct/000.00.157.2/auth-detail-20130718 | |
(9) auth_log : expand: "%t" -> 'Thu Jul 18 11:35:14 2013' | |
(9) [auth_log] = ok | |
(9) ntdomain : Looking up realm "SOFR" for User-Name = "SOFR\masked-uid" | |
(9) ntdomain : Found realm "SOFR" | |
(9) ntdomain : Adding Realm = "SOFR" | |
(9) ntdomain : Authentication realm is LOCAL. | |
(9) [ntdomain] = ok | |
(9) suffix : Request already has destination realm set. Ignoring. | |
(9) [suffix] = ok | |
(9) ? if (Realm == 'NULL' && Called-Station-SSID != 'SECURE-HEFR-2') | |
(9) ? if (Realm == 'NULL' && Called-Station-SSID != 'SECURE-HEFR-2') -> FALSE | |
(9) eap : EAP packet type response id 11 length 43 | |
(9) eap : Continuing tunnel setup. | |
(9) [eap] = ok | |
(9) ? elsif (Airespace-Wlan-Id == 3 || Airespace-Wlan-Id == 4) | |
(9) ? elsif (Airespace-Wlan-Id == 3 || Airespace-Wlan-Id == 4) -> FALSE | |
(9) Found Auth-Type = EAP | |
(9) # Executing group from file /srv/freeradius/etc/raddb/sites-enabled/hefr | |
(9) group authenticate { | |
(9) - entering group authenticate {...} | |
(9) eap : Expiring EAP session with state 0xd6bf5df5deb44439 | |
(9) eap : Finished EAP session with state 0xd6bf5df5deb44439 | |
(9) eap : Previous EAP request found for state 0xd6bf5df5deb44439, released from the list | |
(9) eap : Peer sent PEAP (25) | |
(9) eap : EAP PEAP (25) | |
(9) eap : Calling eap_peap to process EAP data | |
(9) eap_peap : processing EAP-TLS | |
(9) eap_peap : eaptls_verify returned 7 | |
(9) eap_peap : Done initial handshake | |
(9) eap_peap : eaptls_process returned 7 | |
(9) eap_peap : FR_TLS_OK | |
(9) eap_peap : Session established. Decoding tunneled attributes. | |
(9) eap_peap : Peap state send tlv success | |
(9) eap_peap : Received EAP-TLV response. | |
(9) eap_peap : Success | |
(9) eap_peap : Using saved attributes from the original Access-Accept | |
Stripped-User-Name = 'masked-uid' | |
(9) WARNING: eap_peap : No information to cache: session caching will be disabled for session 2e4d29941698a934c07df3daaa9a121741d863190b8e9dbc0dcbe34abeef81d5 | |
SSL: Removing session 2e4d29941698a934c07df3daaa9a121741d863190b8e9dbc0dcbe34abeef81d5 from the cache | |
(9) eap : Freeing handler | |
(9) [eap] = ok | |
(9) # Executing section post-auth from file /srv/freeradius/etc/raddb/sites-enabled/hefr | |
(9) group post-auth { | |
(9) - entering group post-auth {...} | |
(9) policy remove_reply_message_if_eap { | |
(9) - entering policy remove_reply_message_if_eap {...} | |
(9) ? if (reply:EAP-Message && reply:Reply-Message) | |
(9) ? if (reply:EAP-Message && reply:Reply-Message) -> FALSE | |
(9) else else { | |
(9) - entering else else {...} | |
(9) [noop] = noop | |
(9) - else else returns noop | |
(9) - policy remove_reply_message_if_eap returns noop | |
(9) auth_log : expand: "/srv/freeradius/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" -> '/srv/freeradius/var/log/radacct/000.00.157.2/auth-detail-20130718' | |
(9) auth_log : /srv/freeradius/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /srv/freeradius/var/log/radacct/000.00.157.2/auth-detail-20130718 | |
(9) auth_log : expand: "%t" -> 'Thu Jul 18 11:35:14 2013' | |
(9) [auth_log] = ok | |
(9) policy wireless-policy { | |
(9) - entering policy wireless-policy {...} | |
(9) foreach reply:HESSO-Role-Raw { | |
(9) } # foreach reply:HESSO-Role-Raw = ok | |
(9) } # foreach reply:HESSO-Role-Raw = ok | |
(9) - policy wireless-policy returns ok | |
Sending Access-Accept of id 155 from 0.0.0.0 port 1812 to 000.00.157.2 port 32768 | |
MS-MPPE-Recv-Key = xx | |
MS-MPPE-Send-Key = xx | |
EAP-Message = 0x030b0004 | |
Message-Authenticator = 0x00000000000000000000000000000000 | |
User-Name = 'SOFR\\masked-uid' | |
(9) Finished request 9. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment