# [Note] Utilization of FreeRADIUS ###### tags: `IEEE 802.1X`, `RADIUS`, `EAP`, `Port-based Network Access Protocol` [toc] ## Goal First of all, I want to record how to setup a RADIUS server and utilize FreeRADIUS in linux based system. Secondly, I am going to configure a switch as an authenticator. Thirdly, I will show how to setup a PC running Windows OS as a supplicant. Finally, I will make a sucessful connection through IEEE 802.1x protocol. ## Environment <div style="text-align: center"><img src="https://i.imgur.com/F7vaMgE.png"/></div> - System Information - Authentication server: ``` 1. Linux raspberrypi 4.14.79-v7+ #1159 SMP Sun Nov 4 17:50:20 GMT 2018 armv7l GNU/Linux 2. radiusd: FreeRADIUS Version 3.0.12, for host arm-unknown-linux-gnueabihf, built on Aug 10 2017 at 07:05:06 FreeRADIUS Version 3.0.12 ``` - Supplicant ``` Win 10 Pro x64-based PC with a Realtek PCIe GBE Family Controller ``` - Autenticator ``` An arm-based Industrial L2 Switch with Linux 3.6.5 Support IEEE 802.1x Port-based Network Access Protocol. ``` ## RADIUS server Setup ### Config of client *sudo vi /etc/freeradius/3.0/**clients.conf*** ``` shell= # # ipaddr: An IP of a switch and it is usually the management IP. # secret: RADIUS shared secret key. # client private-network-1 { ipaddr = 192.168.1.100 # ipaddr = 192.168.1.0/24 secret = secret # require_message_authenticator = yes } ``` ### Config of users *sudo vi /etc/freeradius/3.0/**users*** ``` shell= # # myusername: An account # mypassword: The password # myusername Cleartext-Password := "mypassword" # Tunnel-Type = "Vlan", # Tunnel-Medium-Type = "IEEE-802", # Tunnel-Private-Group-ID = "77", ``` ## Authenticator Setup and Configure Here, we show how to enable IEEE802.1x feature on a L2 switch as an authenticator through CLI. In general, we have to give RADIUS server IP and Key. ```shell Switch# configure terminal Switch(config)# dot1x system-auth-control The Port-Based Network Acess Control is globally enabled Switch(config)# dot1x authentic-method radius Switch(config)# dot1x radius server-ip 192.168.1.200 key secret RADIUS Server Port number NOT given. (default=1812) RADIUS Accounting Port number NOT given. (default=1813) RADIUS Server IP : 192.168.1.200 RADIUS Server Key : secret RADIUS Server Port : 1812 RADIUS Accounting Port : 1813 Switch(config)# interface gi 0/5 Switch(config-if)# dot1x port-control auto The port is set to auto! Reset Port State Port5 Link Change to DOWN Switch# show dot1x interface gi2 Supplicant MAC ADDR <0000.0000.0000> STATE-MACHINE AM status : CONNECTING BM status : IDLE PortStatus : UNAUTHORIZED PortControl : Auto MAB : Disable Reauthentication : Disable MaxReq : 2 ReAuthPeriod : 3600 Seconds QuietPeriod : 60 Seconds TxPeriod : 30 Seconds SupplicantTimeout : 30 Seconds ServerTimeout : 30 Seconds GuestVlan : 0 HostMode : Single operControlledDirections : Both adminControlledDirections : Both ``` ## RADIUS client Setup and Configure 1. Launch the services ![](https://i.imgur.com/iuTXP42.png) 2. Find the **Wired Autoconfig** ![](https://i.imgur.com/bJPu2zb.png) 3. Set the type to auto and start it. ![](https://i.imgur.com/PotIUXq.png) 4. Launch the setting of an network interface ![](https://i.imgur.com/23gUBuU.png) 5. Enable IEEE 802.1X authentication. ![](https://i.imgur.com/M1RTvrc.png) ![](https://i.imgur.com/fboZXwY.png) ## Demostration <div style="text-align: center"><img src="https://i.imgur.com/F7vaMgE.png"/></div> <div>          192.168.10.68   192.168.10.1   192.168.10.254</div></br> According to aforementioned steps, I config and setup RADIUS sever and client, and the switch (authenticator). I enable the RADIUS server with debugging messages in raspberrypi by ``` shell root@TomasPi# freeradius -X ``` In my win 10 host, before the link gi 0/5 up, I ping 192.168.1.200, i.e., the server, all the time. When I connect the link between the supplicant and authenticator, a window shows up as shown below. ![](https://i.imgur.com/sHCMAZn.png) After entering the username and password, my pi RADIUS server dumps below logs. :::spoiler (48) Received Access-Request Id 1 from 192.168.10.1:45964 to 192.168.10.254:1812 length 133 (48) User-Name = "luke" (48) NAS-IP-Address = 192.168.10.1 (48) Calling-Station-Id = "00-E0-4C-68-04-22" (48) NAS-Identifier = "ISSmaster" (48) NAS-Port = 2 (48) Service-Type = Framed-User (48) Framed-MTU = 1480 (48) NAS-Port-Type = Ethernet (48) EAP-Message = 0x02010009016c756b65 (48) Tunnel-Type:0 = 0 (48) Tunnel-Medium-Type:0 = 0 (48) Tunnel-Private-Group-Id:0 = "\000\000" (48) Message-Authenticator = 0x57a4576f1860cb6350e8e5c933735ad2 (48) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (48) authorize { (48) policy filter_username { (48) if (&User-Name) { (48) if (&User-Name) -> TRUE (48) if (&User-Name) { (48) if (&User-Name =~ / /) { (48) if (&User-Name =~ / /) -> FALSE (48) if (&User-Name =~ /@[^@]*@/ ) { (48) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (48) if (&User-Name =~ /\.\./ ) { (48) if (&User-Name =~ /\.\./ ) -> FALSE (48) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (48) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (48) if (&User-Name =~ /\.$/) { (48) if (&User-Name =~ /\.$/) -> FALSE (48) if (&User-Name =~ /@\./) { (48) if (&User-Name =~ /@\./) -> FALSE (48) } # if (&User-Name) = notfound (48) } # policy filter_username = notfound (48) [preprocess] = ok (48) policy rewrite_calling_station_id { (48) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (48) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (48) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (48) update request { (48) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (48) --> 00-E0-4C-68-04-22 (48) &Calling-Station-Id := 00-E0-4C-68-04-22 (48) } # update request = noop (48) [updated] = updated (48) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (48) ... skipping else: Preceding "if" was taken (48) } # policy rewrite_calling_station_id = updated (48) [chap] = noop (48) [mschap] = noop (48) [digest] = noop (48) suffix: Checking for suffix after "@" (48) suffix: No '@' in User-Name = "luke", looking up realm NULL (48) suffix: No such realm "NULL" (48) [suffix] = noop (48) eap: Peer sent EAP Response (code 2) ID 1 length 9 (48) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (48) [eap] = ok (48) } # authorize = ok (48) Found Auth-Type = eap (48) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (48) authenticate { (48) eap: Peer sent packet with method EAP Identity (1) (48) eap: Calling submodule eap_md5 to process data (48) eap_md5: Issuing MD5 Challenge (48) eap: Sending EAP Request (code 1) ID 2 length 22 (48) eap: EAP session adding &reply:State = 0x3a7f4dd13a7d49f8 (48) [eap] = handled (48) } # authenticate = handled (48) Using Post-Auth-Type Challenge (48) Post-Auth-Type sub-section not found. Ignoring. (48) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (48) Sent Access-Challenge Id 1 from 192.168.10.254:1812 to 192.168.10.1:45964 length 0 (48) EAP-Message = 0x0102001604106a8423dc67be3192952bf6e916c85838 (48) Message-Authenticator = 0x00000000000000000000000000000000 (48) State = 0x3a7f4dd13a7d49f840e1efe849484c32 (48) Finished request Waking up in 4.9 seconds. (49) Received Access-Request Id 2 from 192.168.10.1:49185 to 192.168.10.254:1812 length 148 (49) User-Name = "luke" (49) NAS-IP-Address = 192.168.10.1 (49) Calling-Station-Id = "00-E0-4C-68-04-22" (49) NAS-Identifier = "ISSmaster" (49) NAS-Port = 2 (49) Service-Type = Framed-User (49) Framed-MTU = 1480 (49) NAS-Port-Type = Ethernet (49) State = 0x3a7f4dd13a7d49f840e1efe849484c32 (49) EAP-Message = 0x020200060319 (49) Tunnel-Type:0 = 0 (49) Tunnel-Medium-Type:0 = 0 (49) Tunnel-Private-Group-Id:0 = "\000\000" (49) Message-Authenticator = 0xee157c60c0e8a7e8180b4b1b75089b0f (49) session-state: No cached attributes (49) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (49) authorize { (49) policy filter_username { (49) if (&User-Name) { (49) if (&User-Name) -> TRUE (49) if (&User-Name) { (49) if (&User-Name =~ / /) { (49) if (&User-Name =~ / /) -> FALSE (49) if (&User-Name =~ /@[^@]*@/ ) { (49) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (49) if (&User-Name =~ /\.\./ ) { (49) if (&User-Name =~ /\.\./ ) -> FALSE (49) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (49) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (49) if (&User-Name =~ /\.$/) { (49) if (&User-Name =~ /\.$/) -> FALSE (49) if (&User-Name =~ /@\./) { (49) if (&User-Name =~ /@\./) -> FALSE (49) } # if (&User-Name) = notfound (49) } # policy filter_username = notfound (49) [preprocess] = ok (49) policy rewrite_calling_station_id { (49) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (49) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (49) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (49) update request { (49) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (49) --> 00-E0-4C-68-04-22 (49) &Calling-Station-Id := 00-E0-4C-68-04-22 (49) } # update request = noop (49) [updated] = updated (49) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (49) ... skipping else: Preceding "if" was taken (49) } # policy rewrite_calling_station_id = updated (49) [chap] = noop (49) [mschap] = noop (49) [digest] = noop (49) suffix: Checking for suffix after "@" (49) suffix: No '@' in User-Name = "luke", looking up realm NULL (49) suffix: No such realm "NULL" (49) [suffix] = noop (49) eap: Peer sent EAP Response (code 2) ID 2 length 6 (49) eap: No EAP Start, assuming it's an on-going EAP conversation (49) [eap] = updated (49) files: users: Matched entry luke at line 105 (49) [files] = ok (49) [expiration] = noop (49) [logintime] = noop (49) pap: WARNING: Auth-Type already set. Not setting to PAP (49) [pap] = noop (49) } # authorize = updated (49) Found Auth-Type = eap (49) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (49) authenticate { (49) eap: Expiring EAP session with state 0x3a7f4dd13a7d49f8 (49) eap: Finished EAP session with state 0x3a7f4dd13a7d49f8 (49) eap: Previous EAP request found for state 0x3a7f4dd13a7d49f8, released from the list (49) eap: Peer sent packet with method EAP NAK (3) (49) eap: Found mutually acceptable type PEAP (25) (49) eap: Calling submodule eap_peap to process data (49) eap_peap: Initiating new EAP-TLS session (49) eap_peap: [eaptls start] = request (49) eap: Sending EAP Request (code 1) ID 3 length 6 (49) eap: EAP session adding &reply:State = 0x3a7f4dd13b7c54f8 (49) [eap] = handled (49) } # authenticate = handled (49) Using Post-Auth-Type Challenge (49) Post-Auth-Type sub-section not found. Ignoring. (49) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (49) Sent Access-Challenge Id 2 from 192.168.10.254:1812 to 192.168.10.1:49185 length 0 (49) EAP-Message = 0x010300061920 (49) Message-Authenticator = 0x00000000000000000000000000000000 (49) State = 0x3a7f4dd13b7c54f840e1efe849484c32 (49) Finished request Waking up in 4.8 seconds. (50) Received Access-Request Id 3 from 192.168.10.1:47357 to 192.168.10.254:1812 length 308 (50) User-Name = "luke" (50) NAS-IP-Address = 192.168.10.1 (50) Calling-Station-Id = "00-E0-4C-68-04-22" (50) NAS-Identifier = "ISSmaster" (50) NAS-Port = 2 (50) Service-Type = Framed-User (50) Framed-MTU = 1480 (50) NAS-Port-Type = Ethernet (50) State = 0x3a7f4dd13b7c54f840e1efe849484c32 (50) EAP-Message = 0x020300a619800000009c16030300970100009303035ee7099a57f46b3046b03345c8e360627beb4dc2e77c8e984150ffd8926ae7c500002ac02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a01000040000500050100000000000a00080006001d (50) Tunnel-Type:0 = 0 (50) Tunnel-Medium-Type:0 = 0 (50) Tunnel-Private-Group-Id:0 = "\000\000" (50) Message-Authenticator = 0x0068adb93cb8bc76ba2bc32f83a24ec5 (50) session-state: No cached attributes (50) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (50) authorize { (50) policy filter_username { (50) if (&User-Name) { (50) if (&User-Name) -> TRUE (50) if (&User-Name) { (50) if (&User-Name =~ / /) { (50) if (&User-Name =~ / /) -> FALSE (50) if (&User-Name =~ /@[^@]*@/ ) { (50) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (50) if (&User-Name =~ /\.\./ ) { (50) if (&User-Name =~ /\.\./ ) -> FALSE (50) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (50) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (50) if (&User-Name =~ /\.$/) { (50) if (&User-Name =~ /\.$/) -> FALSE (50) if (&User-Name =~ /@\./) { (50) if (&User-Name =~ /@\./) -> FALSE (50) } # if (&User-Name) = notfound (50) } # policy filter_username = notfound (50) [preprocess] = ok (50) policy rewrite_calling_station_id { (50) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (50) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (50) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (50) update request { (50) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (50) --> 00-E0-4C-68-04-22 (50) &Calling-Station-Id := 00-E0-4C-68-04-22 (50) } # update request = noop (50) [updated] = updated (50) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (50) ... skipping else: Preceding "if" was taken (50) } # policy rewrite_calling_station_id = updated (50) [chap] = noop (50) [mschap] = noop (50) [digest] = noop (50) suffix: Checking for suffix after "@" (50) suffix: No '@' in User-Name = "luke", looking up realm NULL (50) suffix: No such realm "NULL" (50) [suffix] = noop (50) eap: Peer sent EAP Response (code 2) ID 3 length 166 (50) eap: Continuing tunnel setup (50) [eap] = ok (50) } # authorize = ok (50) Found Auth-Type = eap (50) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (50) authenticate { (50) eap: Expiring EAP session with state 0x3a7f4dd13b7c54f8 (50) eap: Finished EAP session with state 0x3a7f4dd13b7c54f8 (50) eap: Previous EAP request found for state 0x3a7f4dd13b7c54f8, released from the list (50) eap: Peer sent packet with method EAP PEAP (25) (50) eap: Calling submodule eap_peap to process data (50) eap_peap: Continuing EAP-TLS (50) eap_peap: Peer indicated complete TLS record size will be 156 bytes (50) eap_peap: Got complete TLS record (156 bytes) (50) eap_peap: [eaptls verify] = length included (50) eap_peap: (other): before SSL initialization (50) eap_peap: TLS_accept: before SSL initialization (50) eap_peap: TLS_accept: before SSL initialization (50) eap_peap: <<< recv TLS 1.2 [length 0097] (50) eap_peap: TLS_accept: SSLv3/TLS read client hello (50) eap_peap: >>> send TLS 1.2 [length 003d] (50) eap_peap: TLS_accept: SSLv3/TLS write server hello (50) eap_peap: >>> send TLS 1.2 [length 02e2] (50) eap_peap: TLS_accept: SSLv3/TLS write certificate (50) eap_peap: >>> send TLS 1.2 [length 014d] (50) eap_peap: TLS_accept: SSLv3/TLS write key exchange (50) eap_peap: >>> send TLS 1.2 [length 0004] (50) eap_peap: TLS_accept: SSLv3/TLS write server done (50) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done (50) eap_peap: In SSL Handshake Phase (50) eap_peap: In SSL Accept mode (50) eap_peap: [eaptls process] = handled (50) eap: Sending EAP Request (code 1) ID 4 length 1004 (50) eap: EAP session adding &reply:State = 0x3a7f4dd1387b54f8 (50) [eap] = handled (50) } # authenticate = handled (50) Using Post-Auth-Type Challenge (50) Post-Auth-Type sub-section not found. Ignoring. (50) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (50) Sent Access-Challenge Id 3 from 192.168.10.254:1812 to 192.168.10.1:47357 length 0 (50) EAP-Message = 0x010403ec19c000000484160303003d020000390303aad4d802f191eb42f5ac1d959a0ea22259b6dfbaf528ea44a3f7a94cd43d7adc00c030000011ff01000100000b0004030001020017000016030302e20b0002de0002db0002d8308202d4308201bca003020102020900b29fdf28ef1102b0300d0609 (50) Message-Authenticator = 0x00000000000000000000000000000000 (50) State = 0x3a7f4dd1387b54f840e1efe849484c32 (50) Finished request Waking up in 4.6 seconds. (51) Received Access-Request Id 4 from 192.168.10.1:33362 to 192.168.10.254:1812 length 148 (51) User-Name = "luke" (51) NAS-IP-Address = 192.168.10.1 (51) Calling-Station-Id = "00-E0-4C-68-04-22" (51) NAS-Identifier = "ISSmaster" (51) NAS-Port = 2 (51) Service-Type = Framed-User (51) Framed-MTU = 1480 (51) NAS-Port-Type = Ethernet (51) State = 0x3a7f4dd1387b54f840e1efe849484c32 (51) EAP-Message = 0x020400061900 (51) Tunnel-Type:0 = 0 (51) Tunnel-Medium-Type:0 = 0 (51) Tunnel-Private-Group-Id:0 = "\000\000" (51) Message-Authenticator = 0x01e530f9e8f338896e81cfb72c1eefdb (51) session-state: No cached attributes (51) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (51) authorize { (51) policy filter_username { (51) if (&User-Name) { (51) if (&User-Name) -> TRUE (51) if (&User-Name) { (51) if (&User-Name =~ / /) { (51) if (&User-Name =~ / /) -> FALSE (51) if (&User-Name =~ /@[^@]*@/ ) { (51) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (51) if (&User-Name =~ /\.\./ ) { (51) if (&User-Name =~ /\.\./ ) -> FALSE (51) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (51) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (51) if (&User-Name =~ /\.$/) { (51) if (&User-Name =~ /\.$/) -> FALSE (51) if (&User-Name =~ /@\./) { (51) if (&User-Name =~ /@\./) -> FALSE (51) } # if (&User-Name) = notfound (51) } # policy filter_username = notfound (51) [preprocess] = ok (51) policy rewrite_calling_station_id { (51) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (51) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (51) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (51) update request { (51) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (51) --> 00-E0-4C-68-04-22 (51) &Calling-Station-Id := 00-E0-4C-68-04-22 (51) } # update request = noop (51) [updated] = updated (51) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (51) ... skipping else: Preceding "if" was taken (51) } # policy rewrite_calling_station_id = updated (51) [chap] = noop (51) [mschap] = noop (51) [digest] = noop (51) suffix: Checking for suffix after "@" (51) suffix: No '@' in User-Name = "luke", looking up realm NULL (51) suffix: No such realm "NULL" (51) [suffix] = noop (51) eap: Peer sent EAP Response (code 2) ID 4 length 6 (51) eap: Continuing tunnel setup (51) [eap] = ok (51) } # authorize = ok (51) Found Auth-Type = eap (51) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (51) authenticate { (51) eap: Expiring EAP session with state 0x3a7f4dd1387b54f8 (51) eap: Finished EAP session with state 0x3a7f4dd1387b54f8 (51) eap: Previous EAP request found for state 0x3a7f4dd1387b54f8, released from the list (51) eap: Peer sent packet with method EAP PEAP (25) (51) eap: Calling submodule eap_peap to process data (51) eap_peap: Continuing EAP-TLS (51) eap_peap: Peer ACKed our handshake fragment (51) eap_peap: [eaptls verify] = request (51) eap_peap: [eaptls process] = handled (51) eap: Sending EAP Request (code 1) ID 5 length 168 (51) eap: EAP session adding &reply:State = 0x3a7f4dd1397a54f8 (51) [eap] = handled (51) } # authenticate = handled (51) Using Post-Auth-Type Challenge (51) Post-Auth-Type sub-section not found. Ignoring. (51) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (51) Sent Access-Challenge Id 4 from 192.168.10.254:1812 to 192.168.10.1:33362 length 0 (51) EAP-Message = 0x010500a81900ee1d5fdb4a5b30eb897bad12cf2bc2e94df395504c08a0f94d5daa179ffa1df3d0806f5a903e9b8331e5db4bdf5e8079d341b8c4253d3b940f7ec25b2b32692931bd5aed79ae38f0d63becfde3a5dc3b8dfc2e6f8cf49b6a6a1f8840f63cfefa2847dab6d793931059ea76ec0a2747435e (51) Message-Authenticator = 0x00000000000000000000000000000000 (51) State = 0x3a7f4dd1397a54f840e1efe849484c32 (51) Finished request Waking up in 4.5 seconds. (52) Received Access-Request Id 5 from 192.168.10.1:47918 to 192.168.10.254:1812 length 278 (52) User-Name = "luke" (52) NAS-IP-Address = 192.168.10.1 (52) Calling-Station-Id = "00-E0-4C-68-04-22" (52) NAS-Identifier = "ISSmaster" (52) NAS-Port = 2 (52) Service-Type = Framed-User (52) Framed-MTU = 1480 (52) NAS-Port-Type = Ethernet (52) State = 0x3a7f4dd1397a54f840e1efe849484c32 (52) EAP-Message = 0x0205008819800000007e160303004610000042410431c96ee01d303fef4d9b4eade8b97a5dd4170e57de209adf077124bd2ee9c66a73f66fba49d800c17c88fde8bac810f1c0c9698b0a146a262e7c0f74e274390a14030300010116030300280000000000000000305108acc2a6d8c39d9b9f23ba4711 (52) Tunnel-Type:0 = 0 (52) Tunnel-Medium-Type:0 = 0 (52) Tunnel-Private-Group-Id:0 = "\000\000" (52) Message-Authenticator = 0xc62a9641847915cbaa276bcf0998e34a (52) session-state: No cached attributes (52) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (52) authorize { (52) policy filter_username { (52) if (&User-Name) { (52) if (&User-Name) -> TRUE (52) if (&User-Name) { (52) if (&User-Name =~ / /) { (52) if (&User-Name =~ / /) -> FALSE (52) if (&User-Name =~ /@[^@]*@/ ) { (52) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (52) if (&User-Name =~ /\.\./ ) { (52) if (&User-Name =~ /\.\./ ) -> FALSE (52) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (52) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (52) if (&User-Name =~ /\.$/) { (52) if (&User-Name =~ /\.$/) -> FALSE (52) if (&User-Name =~ /@\./) { (52) if (&User-Name =~ /@\./) -> FALSE (52) } # if (&User-Name) = notfound (52) } # policy filter_username = notfound (52) [preprocess] = ok (52) policy rewrite_calling_station_id { (52) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (52) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (52) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (52) update request { (52) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (52) --> 00-E0-4C-68-04-22 (52) &Calling-Station-Id := 00-E0-4C-68-04-22 (52) } # update request = noop (52) [updated] = updated (52) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (52) ... skipping else: Preceding "if" was taken (52) } # policy rewrite_calling_station_id = updated (52) [chap] = noop (52) [mschap] = noop (52) [digest] = noop (52) suffix: Checking for suffix after "@" (52) suffix: No '@' in User-Name = "luke", looking up realm NULL (52) suffix: No such realm "NULL" (52) [suffix] = noop (52) eap: Peer sent EAP Response (code 2) ID 5 length 136 (52) eap: Continuing tunnel setup (52) [eap] = ok (52) } # authorize = ok (52) Found Auth-Type = eap (52) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (52) authenticate { (52) eap: Expiring EAP session with state 0x3a7f4dd1397a54f8 (52) eap: Finished EAP session with state 0x3a7f4dd1397a54f8 (52) eap: Previous EAP request found for state 0x3a7f4dd1397a54f8, released from the list (52) eap: Peer sent packet with method EAP PEAP (25) (52) eap: Calling submodule eap_peap to process data (52) eap_peap: Continuing EAP-TLS (52) eap_peap: Peer indicated complete TLS record size will be 126 bytes (52) eap_peap: Got complete TLS record (126 bytes) (52) eap_peap: [eaptls verify] = length included (52) eap_peap: TLS_accept: SSLv3/TLS write server done (52) eap_peap: <<< recv TLS 1.2 [length 0046] (52) eap_peap: TLS_accept: SSLv3/TLS read client key exchange (52) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec (52) eap_peap: <<< recv TLS 1.2 [length 0010] (52) eap_peap: TLS_accept: SSLv3/TLS read finished (52) eap_peap: >>> send TLS 1.2 [length 0001] (52) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec (52) eap_peap: >>> send TLS 1.2 [length 0010] (52) eap_peap: TLS_accept: SSLv3/TLS write finished (52) eap_peap: (other): SSL negotiation finished successfully (52) eap_peap: SSL Connection Established (52) eap_peap: [eaptls process] = handled (52) eap: Sending EAP Request (code 1) ID 6 length 57 (52) eap: EAP session adding &reply:State = 0x3a7f4dd13e7954f8 (52) [eap] = handled (52) } # authenticate = handled (52) Using Post-Auth-Type Challenge (52) Post-Auth-Type sub-section not found. Ignoring. (52) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (52) Sent Access-Challenge Id 5 from 192.168.10.254:1812 to 192.168.10.1:47918 length 0 (52) EAP-Message = 0x0106003919001403030001011603030028ffd5587ba117957e94a7f4fa386f6f01ed250dd4e3526f8dc2812f8301c6d47000173710c3e4ea8f (52) Message-Authenticator = 0x00000000000000000000000000000000 (52) State = 0x3a7f4dd13e7954f840e1efe849484c32 (52) Finished request Waking up in 4.4 seconds. (53) Received Access-Request Id 6 from 192.168.10.1:42600 to 192.168.10.254:1812 length 148 (53) User-Name = "luke" (53) NAS-IP-Address = 192.168.10.1 (53) Calling-Station-Id = "00-E0-4C-68-04-22" (53) NAS-Identifier = "ISSmaster" (53) NAS-Port = 2 (53) Service-Type = Framed-User (53) Framed-MTU = 1480 (53) NAS-Port-Type = Ethernet (53) State = 0x3a7f4dd13e7954f840e1efe849484c32 (53) EAP-Message = 0x020600061900 (53) Tunnel-Type:0 = 0 (53) Tunnel-Medium-Type:0 = 0 (53) Tunnel-Private-Group-Id:0 = "\000\000" (53) Message-Authenticator = 0xbba13df16badc0acecf50692a124e212 (53) session-state: No cached attributes (53) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (53) authorize { (53) policy filter_username { (53) if (&User-Name) { (53) if (&User-Name) -> TRUE (53) if (&User-Name) { (53) if (&User-Name =~ / /) { (53) if (&User-Name =~ / /) -> FALSE (53) if (&User-Name =~ /@[^@]*@/ ) { (53) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (53) if (&User-Name =~ /\.\./ ) { (53) if (&User-Name =~ /\.\./ ) -> FALSE (53) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (53) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (53) if (&User-Name =~ /\.$/) { (53) if (&User-Name =~ /\.$/) -> FALSE (53) if (&User-Name =~ /@\./) { (53) if (&User-Name =~ /@\./) -> FALSE (53) } # if (&User-Name) = notfound (53) } # policy filter_username = notfound (53) [preprocess] = ok (53) policy rewrite_calling_station_id { (53) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (53) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (53) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (53) update request { (53) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (53) --> 00-E0-4C-68-04-22 (53) &Calling-Station-Id := 00-E0-4C-68-04-22 (53) } # update request = noop (53) [updated] = updated (53) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (53) ... skipping else: Preceding "if" was taken (53) } # policy rewrite_calling_station_id = updated (53) [chap] = noop (53) [mschap] = noop (53) [digest] = noop (53) suffix: Checking for suffix after "@" (53) suffix: No '@' in User-Name = "luke", looking up realm NULL (53) suffix: No such realm "NULL" (53) [suffix] = noop (53) eap: Peer sent EAP Response (code 2) ID 6 length 6 (53) eap: Continuing tunnel setup (53) [eap] = ok (53) } # authorize = ok (53) Found Auth-Type = eap (53) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (53) authenticate { (53) eap: Expiring EAP session with state 0x3a7f4dd13e7954f8 (53) eap: Finished EAP session with state 0x3a7f4dd13e7954f8 (53) eap: Previous EAP request found for state 0x3a7f4dd13e7954f8, released from the list (53) eap: Peer sent packet with method EAP PEAP (25) (53) eap: Calling submodule eap_peap to process data (53) eap_peap: Continuing EAP-TLS (53) eap_peap: Peer ACKed our handshake fragment. handshake is finished (53) eap_peap: [eaptls verify] = success (53) eap_peap: [eaptls process] = success (53) eap_peap: Session established. Decoding tunneled attributes (53) eap_peap: PEAP state TUNNEL ESTABLISHED (53) eap: Sending EAP Request (code 1) ID 7 length 40 (53) eap: EAP session adding &reply:State = 0x3a7f4dd13f7854f8 (53) [eap] = handled (53) } # authenticate = handled (53) Using Post-Auth-Type Challenge (53) Post-Auth-Type sub-section not found. Ignoring. (53) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (53) Sent Access-Challenge Id 6 from 192.168.10.254:1812 to 192.168.10.1:42600 length 0 (53) EAP-Message = 0x010700281900170303001dffd5587ba117957fa4d62146ff5bd06308497e39569e8206c4ce02ec6f (53) Message-Authenticator = 0x00000000000000000000000000000000 (53) State = 0x3a7f4dd13f7854f840e1efe849484c32 (53) Finished request Waking up in 4.2 seconds. (54) Received Access-Request Id 7 from 192.168.10.1:44164 to 192.168.10.254:1812 length 182 (54) User-Name = "luke" (54) NAS-IP-Address = 192.168.10.1 (54) Calling-Station-Id = "00-E0-4C-68-04-22" (54) NAS-Identifier = "ISSmaster" (54) NAS-Port = 2 (54) Service-Type = Framed-User (54) Framed-MTU = 1480 (54) NAS-Port-Type = Ethernet (54) State = 0x3a7f4dd13f7854f840e1efe849484c32 (54) EAP-Message = 0x020700281900170303001d0000000000000001e343b2690dcf201100aa7e7bd7da1188384d1810d2 (54) Tunnel-Type:0 = 0 (54) Tunnel-Medium-Type:0 = 0 (54) Tunnel-Private-Group-Id:0 = "\000\000" (54) Message-Authenticator = 0xd2c93bb54271bae6a1322076146ab403 (54) session-state: No cached attributes (54) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (54) authorize { (54) policy filter_username { (54) if (&User-Name) { (54) if (&User-Name) -> TRUE (54) if (&User-Name) { (54) if (&User-Name =~ / /) { (54) if (&User-Name =~ / /) -> FALSE (54) if (&User-Name =~ /@[^@]*@/ ) { (54) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (54) if (&User-Name =~ /\.\./ ) { (54) if (&User-Name =~ /\.\./ ) -> FALSE (54) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (54) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (54) if (&User-Name =~ /\.$/) { (54) if (&User-Name =~ /\.$/) -> FALSE (54) if (&User-Name =~ /@\./) { (54) if (&User-Name =~ /@\./) -> FALSE (54) } # if (&User-Name) = notfound (54) } # policy filter_username = notfound (54) [preprocess] = ok (54) policy rewrite_calling_station_id { (54) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (54) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (54) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (54) update request { (54) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (54) --> 00-E0-4C-68-04-22 (54) &Calling-Station-Id := 00-E0-4C-68-04-22 (54) } # update request = noop (54) [updated] = updated (54) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (54) ... skipping else: Preceding "if" was taken (54) } # policy rewrite_calling_station_id = updated (54) [chap] = noop (54) [mschap] = noop (54) [digest] = noop (54) suffix: Checking for suffix after "@" (54) suffix: No '@' in User-Name = "luke", looking up realm NULL (54) suffix: No such realm "NULL" (54) [suffix] = noop (54) eap: Peer sent EAP Response (code 2) ID 7 length 40 (54) eap: Continuing tunnel setup (54) [eap] = ok (54) } # authorize = ok (54) Found Auth-Type = eap (54) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (54) authenticate { (54) eap: Expiring EAP session with state 0x3a7f4dd13f7854f8 (54) eap: Finished EAP session with state 0x3a7f4dd13f7854f8 (54) eap: Previous EAP request found for state 0x3a7f4dd13f7854f8, released from the list (54) eap: Peer sent packet with method EAP PEAP (25) (54) eap: Calling submodule eap_peap to process data (54) eap_peap: Continuing EAP-TLS (54) eap_peap: [eaptls verify] = ok (54) eap_peap: Done initial handshake (54) eap_peap: [eaptls process] = ok (54) eap_peap: Session established. Decoding tunneled attributes (54) eap_peap: PEAP state WAITING FOR INNER IDENTITY (54) eap_peap: Identity - luke (54) eap_peap: Got inner identity 'luke' (54) eap_peap: Setting default EAP type for tunneled EAP session (54) eap_peap: Got tunneled request (54) eap_peap: EAP-Message = 0x02070009016c756b65 (54) eap_peap: Setting User-Name to luke (54) eap_peap: Sending tunneled request to inner-tunnel (54) eap_peap: EAP-Message = 0x02070009016c756b65 (54) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (54) eap_peap: User-Name = "luke" (54) Virtual server inner-tunnel received request (54) EAP-Message = 0x02070009016c756b65 (54) FreeRADIUS-Proxied-To = 127.0.0.1 (54) User-Name = "luke" (54) WARNING: Outer and inner identities are the same. User privacy is compromised. (54) server inner-tunnel { (54) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (54) authorize { (54) policy filter_username { (54) if (&User-Name) { (54) if (&User-Name) -> TRUE (54) if (&User-Name) { (54) if (&User-Name =~ / /) { (54) if (&User-Name =~ / /) -> FALSE (54) if (&User-Name =~ /@[^@]*@/ ) { (54) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (54) if (&User-Name =~ /\.\./ ) { (54) if (&User-Name =~ /\.\./ ) -> FALSE (54) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (54) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (54) if (&User-Name =~ /\.$/) { (54) if (&User-Name =~ /\.$/) -> FALSE (54) if (&User-Name =~ /@\./) { (54) if (&User-Name =~ /@\./) -> FALSE (54) } # if (&User-Name) = notfound (54) } # policy filter_username = notfound (54) [chap] = noop (54) [mschap] = noop (54) suffix: Checking for suffix after "@" (54) suffix: No '@' in User-Name = "luke", looking up realm NULL (54) suffix: No such realm "NULL" (54) [suffix] = noop (54) update control { (54) &Proxy-To-Realm := LOCAL (54) } # update control = noop (54) eap: Peer sent EAP Response (code 2) ID 7 length 9 (54) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (54) [eap] = ok (54) } # authorize = ok (54) Found Auth-Type = eap (54) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (54) authenticate { (54) eap: Peer sent packet with method EAP Identity (1) (54) eap: Calling submodule eap_mschapv2 to process data (54) eap_mschapv2: Issuing Challenge (54) eap: Sending EAP Request (code 1) ID 8 length 43 (54) eap: EAP session adding &reply:State = 0xf948dd9af940c74a (54) [eap] = handled (54) } # authenticate = handled (54) } # server inner-tunnel (54) Virtual server sending reply (54) EAP-Message = 0x0108002b1a010800261012cc8496805ba90a159b8b66302580e1667265657261646975732d332e302e3132 (54) Message-Authenticator = 0x00000000000000000000000000000000 (54) State = 0xf948dd9af940c74aeab35ea8b229fb7e (54) eap_peap: Got tunneled reply code 11 (54) eap_peap: EAP-Message = 0x0108002b1a010800261012cc8496805ba90a159b8b66302580e1667265657261646975732d332e302e3132 (54) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (54) eap_peap: State = 0xf948dd9af940c74aeab35ea8b229fb7e (54) eap_peap: Got tunneled reply RADIUS code 11 (54) eap_peap: EAP-Message = 0x0108002b1a010800261012cc8496805ba90a159b8b66302580e1667265657261646975732d332e302e3132 (54) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (54) eap_peap: State = 0xf948dd9af940c74aeab35ea8b229fb7e (54) eap_peap: Got tunneled Access-Challenge (54) eap: Sending EAP Request (code 1) ID 8 length 74 (54) eap: EAP session adding &reply:State = 0x3a7f4dd13c7754f8 (54) [eap] = handled (54) } # authenticate = handled (54) Using Post-Auth-Type Challenge (54) Post-Auth-Type sub-section not found. Ignoring. (54) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (54) Sent Access-Challenge Id 7 from 192.168.10.254:1812 to 192.168.10.1:44164 length 0 (54) EAP-Message = 0x0108004a1900170303003fffd5587ba11795806b4fdb339fe4ab660cb9166ebf6a3e9184ccc2a416c6d1747d24d7a2379840c5b3c442fe4b4f8ed9159f525f297815eebb27e7f72e97e7 (54) Message-Authenticator = 0x00000000000000000000000000000000 (54) State = 0x3a7f4dd13c7754f840e1efe849484c32 (54) Finished request Waking up in 4.1 seconds. (55) Received Access-Request Id 8 from 192.168.10.1:47163 to 192.168.10.254:1812 length 236 (55) User-Name = "luke" (55) NAS-IP-Address = 192.168.10.1 (55) Calling-Station-Id = "00-E0-4C-68-04-22" (55) NAS-Identifier = "ISSmaster" (55) NAS-Port = 2 (55) Service-Type = Framed-User (55) Framed-MTU = 1480 (55) NAS-Port-Type = Ethernet (55) State = 0x3a7f4dd13c7754f840e1efe849484c32 (55) EAP-Message = 0x0208005e190017030300530000000000000002962493c23bbeb4d7086fe894812a1bacf15eef0a33a2e56fe995aecb49f6880e1b419fc7f2d1f14373c2f01b8c330e05995585ab9911d621051f4a7889108a3caf0f5a0e5756f2e3c5c0f4 (55) Tunnel-Type:0 = 0 (55) Tunnel-Medium-Type:0 = 0 (55) Tunnel-Private-Group-Id:0 = "\000\000" (55) Message-Authenticator = 0x59bb3218f4ca32575256f146fd45920b (55) session-state: No cached attributes (55) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (55) authorize { (55) policy filter_username { (55) if (&User-Name) { (55) if (&User-Name) -> TRUE (55) if (&User-Name) { (55) if (&User-Name =~ / /) { (55) if (&User-Name =~ / /) -> FALSE (55) if (&User-Name =~ /@[^@]*@/ ) { (55) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (55) if (&User-Name =~ /\.\./ ) { (55) if (&User-Name =~ /\.\./ ) -> FALSE (55) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (55) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (55) if (&User-Name =~ /\.$/) { (55) if (&User-Name =~ /\.$/) -> FALSE (55) if (&User-Name =~ /@\./) { (55) if (&User-Name =~ /@\./) -> FALSE (55) } # if (&User-Name) = notfound (55) } # policy filter_username = notfound (55) [preprocess] = ok (55) policy rewrite_calling_station_id { (55) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (55) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (55) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (55) update request { (55) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (55) --> 00-E0-4C-68-04-22 (55) &Calling-Station-Id := 00-E0-4C-68-04-22 (55) } # update request = noop (55) [updated] = updated (55) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (55) ... skipping else: Preceding "if" was taken (55) } # policy rewrite_calling_station_id = updated (55) [chap] = noop (55) [mschap] = noop (55) [digest] = noop (55) suffix: Checking for suffix after "@" (55) suffix: No '@' in User-Name = "luke", looking up realm NULL (55) suffix: No such realm "NULL" (55) [suffix] = noop (55) eap: Peer sent EAP Response (code 2) ID 8 length 94 (55) eap: Continuing tunnel setup (55) [eap] = ok (55) } # authorize = ok (55) Found Auth-Type = eap (55) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (55) authenticate { (55) eap: Expiring EAP session with state 0xf948dd9af940c74a (55) eap: Finished EAP session with state 0x3a7f4dd13c7754f8 (55) eap: Previous EAP request found for state 0x3a7f4dd13c7754f8, released from the list (55) eap: Peer sent packet with method EAP PEAP (25) (55) eap: Calling submodule eap_peap to process data (55) eap_peap: Continuing EAP-TLS (55) eap_peap: [eaptls verify] = ok (55) eap_peap: Done initial handshake (55) eap_peap: [eaptls process] = ok (55) eap_peap: Session established. Decoding tunneled attributes (55) eap_peap: PEAP state phase2 (55) eap_peap: EAP method MSCHAPv2 (26) (55) eap_peap: Got tunneled request (55) eap_peap: EAP-Message = 0x0208003f1a0208003a317708c16b027949b136a22d3eb468a844000000000000000057e943de7efa49a70d09bbf0e630952f027dc52d489accf2006c756b65 (55) eap_peap: Setting User-Name to luke (55) eap_peap: Sending tunneled request to inner-tunnel (55) eap_peap: EAP-Message = 0x0208003f1a0208003a317708c16b027949b136a22d3eb468a844000000000000000057e943de7efa49a70d09bbf0e630952f027dc52d489accf2006c756b65 (55) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (55) eap_peap: User-Name = "luke" (55) eap_peap: State = 0xf948dd9af940c74aeab35ea8b229fb7e (55) Virtual server inner-tunnel received request (55) EAP-Message = 0x0208003f1a0208003a317708c16b027949b136a22d3eb468a844000000000000000057e943de7efa49a70d09bbf0e630952f027dc52d489accf2006c756b65 (55) FreeRADIUS-Proxied-To = 127.0.0.1 (55) User-Name = "luke" (55) State = 0xf948dd9af940c74aeab35ea8b229fb7e (55) WARNING: Outer and inner identities are the same. User privacy is compromised. (55) server inner-tunnel { (55) session-state: No cached attributes (55) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (55) authorize { (55) policy filter_username { (55) if (&User-Name) { (55) if (&User-Name) -> TRUE (55) if (&User-Name) { (55) if (&User-Name =~ / /) { (55) if (&User-Name =~ / /) -> FALSE (55) if (&User-Name =~ /@[^@]*@/ ) { (55) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (55) if (&User-Name =~ /\.\./ ) { (55) if (&User-Name =~ /\.\./ ) -> FALSE (55) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (55) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (55) if (&User-Name =~ /\.$/) { (55) if (&User-Name =~ /\.$/) -> FALSE (55) if (&User-Name =~ /@\./) { (55) if (&User-Name =~ /@\./) -> FALSE (55) } # if (&User-Name) = notfound (55) } # policy filter_username = notfound (55) [chap] = noop (55) [mschap] = noop (55) suffix: Checking for suffix after "@" (55) suffix: No '@' in User-Name = "luke", looking up realm NULL (55) suffix: No such realm "NULL" (55) [suffix] = noop (55) update control { (55) &Proxy-To-Realm := LOCAL (55) } # update control = noop (55) eap: Peer sent EAP Response (code 2) ID 8 length 63 (55) eap: No EAP Start, assuming it's an on-going EAP conversation (55) [eap] = updated (55) files: users: Matched entry luke at line 105 (55) [files] = ok (55) [expiration] = noop (55) [logintime] = noop (55) pap: WARNING: Auth-Type already set. Not setting to PAP (55) [pap] = noop (55) } # authorize = updated (55) Found Auth-Type = eap (55) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (55) authenticate { (55) eap: Expiring EAP session with state 0xf948dd9af940c74a (55) eap: Finished EAP session with state 0xf948dd9af940c74a (55) eap: Previous EAP request found for state 0xf948dd9af940c74a, released from the list (55) eap: Peer sent packet with method EAP MSCHAPv2 (26) (55) eap: Calling submodule eap_mschapv2 to process data (55) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (55) eap_mschapv2: authenticate { (55) mschap: Found Cleartext-Password, hashing to create NT-Password (55) mschap: Found Cleartext-Password, hashing to create LM-Password (55) mschap: Creating challenge hash with username: luke (55) mschap: Client is using MS-CHAPv2 (55) mschap: Adding MS-CHAPv2 MPPE keys (55) [mschap] = ok (55) } # authenticate = ok (55) MSCHAP Success (55) eap: Sending EAP Request (code 1) ID 9 length 51 (55) eap: EAP session adding &reply:State = 0xf948dd9af841c74a (55) [eap] = handled (55) } # authenticate = handled (55) } # server inner-tunnel (55) Virtual server sending reply (55) EAP-Message = 0x010900331a0308002e533d44314230313631363934433830453431343444344630324646334133314533334446434633393139 (55) Message-Authenticator = 0x00000000000000000000000000000000 (55) State = 0xf948dd9af841c74aeab35ea8b229fb7e (55) eap_peap: Got tunneled reply code 11 (55) eap_peap: EAP-Message = 0x010900331a0308002e533d44314230313631363934433830453431343444344630324646334133314533334446434633393139 (55) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (55) eap_peap: State = 0xf948dd9af841c74aeab35ea8b229fb7e (55) eap_peap: Got tunneled reply RADIUS code 11 (55) eap_peap: EAP-Message = 0x010900331a0308002e533d44314230313631363934433830453431343444344630324646334133314533334446434633393139 (55) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (55) eap_peap: State = 0xf948dd9af841c74aeab35ea8b229fb7e (55) eap_peap: Got tunneled Access-Challenge (55) eap: Sending EAP Request (code 1) ID 9 length 82 (55) eap: EAP session adding &reply:State = 0x3a7f4dd13d7654f8 (55) [eap] = handled (55) } # authenticate = handled (55) Using Post-Auth-Type Challenge (55) Post-Auth-Type sub-section not found. Ignoring. (55) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (55) Sent Access-Challenge Id 8 from 192.168.10.254:1812 to 192.168.10.1:47163 length 0 (55) EAP-Message = 0x0109005219001703030047ffd5587ba1179581a6fc4386e3375911d0f8ecc3512785555f98e20d16b742a4b6fee929d5b06edd14d7b82ad0300ed672f6e242b2098037b027fa712c9d961d5090e92136ee36 (55) Message-Authenticator = 0x00000000000000000000000000000000 (55) State = 0x3a7f4dd13d7654f840e1efe849484c32 (55) Finished request Waking up in 4.0 seconds. (56) Received Access-Request Id 9 from 192.168.10.1:44619 to 192.168.10.254:1812 length 179 (56) User-Name = "luke" (56) NAS-IP-Address = 192.168.10.1 (56) Calling-Station-Id = "00-E0-4C-68-04-22" (56) NAS-Identifier = "ISSmaster" (56) NAS-Port = 2 (56) Service-Type = Framed-User (56) Framed-MTU = 1480 (56) NAS-Port-Type = Ethernet (56) State = 0x3a7f4dd13d7654f840e1efe849484c32 (56) EAP-Message = 0x020900251900170303001a0000000000000003d13ce002ade8ca091ed9914e6e6dcd360660 (56) Tunnel-Type:0 = 0 (56) Tunnel-Medium-Type:0 = 0 (56) Tunnel-Private-Group-Id:0 = "\000\000" (56) Message-Authenticator = 0xeec9b88fd27efc165a6568822121278f (56) session-state: No cached attributes (56) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (56) authorize { (56) policy filter_username { (56) if (&User-Name) { (56) if (&User-Name) -> TRUE (56) if (&User-Name) { (56) if (&User-Name =~ / /) { (56) if (&User-Name =~ / /) -> FALSE (56) if (&User-Name =~ /@[^@]*@/ ) { (56) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (56) if (&User-Name =~ /\.\./ ) { (56) if (&User-Name =~ /\.\./ ) -> FALSE (56) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (56) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (56) if (&User-Name =~ /\.$/) { (56) if (&User-Name =~ /\.$/) -> FALSE (56) if (&User-Name =~ /@\./) { (56) if (&User-Name =~ /@\./) -> FALSE (56) } # if (&User-Name) = notfound (56) } # policy filter_username = notfound (56) [preprocess] = ok (56) policy rewrite_calling_station_id { (56) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (56) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (56) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (56) update request { (56) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (56) --> 00-E0-4C-68-04-22 (56) &Calling-Station-Id := 00-E0-4C-68-04-22 (56) } # update request = noop (56) [updated] = updated (56) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (56) ... skipping else: Preceding "if" was taken (56) } # policy rewrite_calling_station_id = updated (56) [chap] = noop (56) [mschap] = noop (56) [digest] = noop (56) suffix: Checking for suffix after "@" (56) suffix: No '@' in User-Name = "luke", looking up realm NULL (56) suffix: No such realm "NULL" (56) [suffix] = noop (56) eap: Peer sent EAP Response (code 2) ID 9 length 37 (56) eap: Continuing tunnel setup (56) [eap] = ok (56) } # authorize = ok (56) Found Auth-Type = eap (56) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (56) authenticate { (56) eap: Expiring EAP session with state 0xf948dd9af841c74a (56) eap: Finished EAP session with state 0x3a7f4dd13d7654f8 (56) eap: Previous EAP request found for state 0x3a7f4dd13d7654f8, released from the list (56) eap: Peer sent packet with method EAP PEAP (25) (56) eap: Calling submodule eap_peap to process data (56) eap_peap: Continuing EAP-TLS (56) eap_peap: [eaptls verify] = ok (56) eap_peap: Done initial handshake (56) eap_peap: [eaptls process] = ok (56) eap_peap: Session established. Decoding tunneled attributes (56) eap_peap: PEAP state phase2 (56) eap_peap: EAP method MSCHAPv2 (26) (56) eap_peap: Got tunneled request (56) eap_peap: EAP-Message = 0x020900061a03 (56) eap_peap: Setting User-Name to luke (56) eap_peap: Sending tunneled request to inner-tunnel (56) eap_peap: EAP-Message = 0x020900061a03 (56) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (56) eap_peap: User-Name = "luke" (56) eap_peap: State = 0xf948dd9af841c74aeab35ea8b229fb7e (56) Virtual server inner-tunnel received request (56) EAP-Message = 0x020900061a03 (56) FreeRADIUS-Proxied-To = 127.0.0.1 (56) User-Name = "luke" (56) State = 0xf948dd9af841c74aeab35ea8b229fb7e (56) WARNING: Outer and inner identities are the same. User privacy is compromised. (56) server inner-tunnel { (56) session-state: No cached attributes (56) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (56) authorize { (56) policy filter_username { (56) if (&User-Name) { (56) if (&User-Name) -> TRUE (56) if (&User-Name) { (56) if (&User-Name =~ / /) { (56) if (&User-Name =~ / /) -> FALSE (56) if (&User-Name =~ /@[^@]*@/ ) { (56) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (56) if (&User-Name =~ /\.\./ ) { (56) if (&User-Name =~ /\.\./ ) -> FALSE (56) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (56) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (56) if (&User-Name =~ /\.$/) { (56) if (&User-Name =~ /\.$/) -> FALSE (56) if (&User-Name =~ /@\./) { (56) if (&User-Name =~ /@\./) -> FALSE (56) } # if (&User-Name) = notfound (56) } # policy filter_username = notfound (56) [chap] = noop (56) [mschap] = noop (56) suffix: Checking for suffix after "@" (56) suffix: No '@' in User-Name = "luke", looking up realm NULL (56) suffix: No such realm "NULL" (56) [suffix] = noop (56) update control { (56) &Proxy-To-Realm := LOCAL (56) } # update control = noop (56) eap: Peer sent EAP Response (code 2) ID 9 length 6 (56) eap: No EAP Start, assuming it's an on-going EAP conversation (56) [eap] = updated (56) files: users: Matched entry luke at line 105 (56) [files] = ok (56) [expiration] = noop (56) [logintime] = noop (56) pap: WARNING: Auth-Type already set. Not setting to PAP (56) [pap] = noop (56) } # authorize = updated (56) Found Auth-Type = eap (56) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (56) authenticate { (56) eap: Expiring EAP session with state 0xf948dd9af841c74a (56) eap: Finished EAP session with state 0xf948dd9af841c74a (56) eap: Previous EAP request found for state 0xf948dd9af841c74a, released from the list (56) eap: Peer sent packet with method EAP MSCHAPv2 (26) (56) eap: Calling submodule eap_mschapv2 to process data (56) eap: Sending EAP Success (code 3) ID 9 length 4 (56) eap: Freeing handler (56) [eap] = ok (56) } # authenticate = ok (56) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (56) post-auth { ... } # empty sub-section is ignored (56) Login OK: [luke/<via Auth-Type = eap>] (from client private-network-1 port 0 via TLS tunnel) (56) } # server inner-tunnel (56) Virtual server sending reply (56) MS-MPPE-Encryption-Policy = Encryption-Allowed (56) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (56) MS-MPPE-Send-Key = 0x312a378d422ed94f24c195c1251f7283 (56) MS-MPPE-Recv-Key = 0xcab6089d690722fe0de07a4ef2a50df6 (56) EAP-Message = 0x03090004 (56) Message-Authenticator = 0x00000000000000000000000000000000 (56) User-Name = "luke" (56) eap_peap: Got tunneled reply code 2 (56) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed (56) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (56) eap_peap: MS-MPPE-Send-Key = 0x312a378d422ed94f24c195c1251f7283 (56) eap_peap: MS-MPPE-Recv-Key = 0xcab6089d690722fe0de07a4ef2a50df6 (56) eap_peap: EAP-Message = 0x03090004 (56) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (56) eap_peap: User-Name = "luke" (56) eap_peap: Got tunneled reply RADIUS code 2 (56) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed (56) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (56) eap_peap: MS-MPPE-Send-Key = 0x312a378d422ed94f24c195c1251f7283 (56) eap_peap: MS-MPPE-Recv-Key = 0xcab6089d690722fe0de07a4ef2a50df6 (56) eap_peap: EAP-Message = 0x03090004 (56) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (56) eap_peap: User-Name = "luke" (56) eap_peap: Tunneled authentication was successful (56) eap_peap: SUCCESS (56) eap_peap: Saving tunneled attributes for later (56) eap: Sending EAP Request (code 1) ID 10 length 46 (56) eap: EAP session adding &reply:State = 0x3a7f4dd1327554f8 (56) [eap] = handled (56) } # authenticate = handled (56) Using Post-Auth-Type Challenge (56) Post-Auth-Type sub-section not found. Ignoring. (56) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (56) Sent Access-Challenge Id 9 from 192.168.10.254:1812 to 192.168.10.1:44619 length 0 (56) EAP-Message = 0x010a002e19001703030023ffd5587ba1179582bfaa60675f22cfe9e60e8150d212319705e8b3c49d40dc07c65e61 (56) Message-Authenticator = 0x00000000000000000000000000000000 (56) State = 0x3a7f4dd1327554f840e1efe849484c32 (56) Finished request Waking up in 3.8 seconds. (57) Received Access-Request Id 10 from 192.168.10.1:44721 to 192.168.10.254:1812 length 188 (57) User-Name = "luke" (57) NAS-IP-Address = 192.168.10.1 (57) Calling-Station-Id = "00-E0-4C-68-04-22" (57) NAS-Identifier = "ISSmaster" (57) NAS-Port = 2 (57) Service-Type = Framed-User (57) Framed-MTU = 1480 (57) NAS-Port-Type = Ethernet (57) State = 0x3a7f4dd1327554f840e1efe849484c32 (57) EAP-Message = 0x020a002e190017030300230000000000000004ab35625840a37d3b4f127e0f5e3c82d21b1eb54f7ffd88fa0839bc (57) Tunnel-Type:0 = 0 (57) Tunnel-Medium-Type:0 = 0 (57) Tunnel-Private-Group-Id:0 = "\000\000" (57) Message-Authenticator = 0x2a4777745a6dd3c236e4ce401e2e22ef (57) session-state: No cached attributes (57) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (57) authorize { (57) policy filter_username { (57) if (&User-Name) { (57) if (&User-Name) -> TRUE (57) if (&User-Name) { (57) if (&User-Name =~ / /) { (57) if (&User-Name =~ / /) -> FALSE (57) if (&User-Name =~ /@[^@]*@/ ) { (57) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (57) if (&User-Name =~ /\.\./ ) { (57) if (&User-Name =~ /\.\./ ) -> FALSE (57) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (57) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (57) if (&User-Name =~ /\.$/) { (57) if (&User-Name =~ /\.$/) -> FALSE (57) if (&User-Name =~ /@\./) { (57) if (&User-Name =~ /@\./) -> FALSE (57) } # if (&User-Name) = notfound (57) } # policy filter_username = notfound (57) [preprocess] = ok (57) policy rewrite_calling_station_id { (57) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (57) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (57) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (57) update request { (57) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (57) --> 00-E0-4C-68-04-22 (57) &Calling-Station-Id := 00-E0-4C-68-04-22 (57) } # update request = noop (57) [updated] = updated (57) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (57) ... skipping else: Preceding "if" was taken (57) } # policy rewrite_calling_station_id = updated (57) [chap] = noop (57) [mschap] = noop (57) [digest] = noop (57) suffix: Checking for suffix after "@" (57) suffix: No '@' in User-Name = "luke", looking up realm NULL (57) suffix: No such realm "NULL" (57) [suffix] = noop (57) eap: Peer sent EAP Response (code 2) ID 10 length 46 (57) eap: Continuing tunnel setup (57) [eap] = ok (57) } # authorize = ok (57) Found Auth-Type = eap (57) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (57) authenticate { (57) eap: Expiring EAP session with state 0x3a7f4dd1327554f8 (57) eap: Finished EAP session with state 0x3a7f4dd1327554f8 (57) eap: Previous EAP request found for state 0x3a7f4dd1327554f8, released from the list (57) eap: Peer sent packet with method EAP PEAP (25) (57) eap: Calling submodule eap_peap to process data (57) eap_peap: Continuing EAP-TLS (57) eap_peap: [eaptls verify] = ok (57) eap_peap: Done initial handshake (57) eap_peap: [eaptls process] = ok (57) eap_peap: Session established. Decoding tunneled attributes (57) eap_peap: PEAP state send tlv success (57) eap_peap: Received EAP-TLV response (57) eap_peap: Success (57) eap_peap: Using saved attributes from the original Access-Accept (57) eap_peap: User-Name = "luke" (57) eap: Sending EAP Success (code 3) ID 10 length 4 (57) eap: Freeing handler (57) [eap] = ok (57) } # authenticate = ok (57) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default (57) post-auth { (57) update { (57) No attributes updated (57) } # update = noop (57) [exec] = noop (57) policy remove_reply_message_if_eap { (57) if (&reply:EAP-Message && &reply:Reply-Message) { (57) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (57) else { (57) [noop] = noop (57) } # else = noop (57) } # policy remove_reply_message_if_eap = noop (57) } # post-auth = noop (57) Login OK: [luke/<via Auth-Type = eap>] (from client private-network-1 port 2 cli 00-E0-4C-68-04-22) (57) Sent Access-Accept Id 10 from 192.168.10.254:1812 to 192.168.10.1:44721 length 0 (57) User-Name = "luke" (57) MS-MPPE-Recv-Key = 0xbf579474b03a8a137c13d382cee04d4a90fa6772bb26a216cabff1446b314312 (57) MS-MPPE-Send-Key = 0xb7fb9d4a372ac629c6a888f0ccda2e0c1195f5bc521d69150d6cd44baabe8b84 (57) EAP-Message = 0x030a0004 (57) Message-Authenticator = 0x00000000000000000000000000000000 (57) Finished request Waking up in 3.7 seconds. (58) Received Accounting-Request Id 15 from 192.168.10.1:44173 to 192.168.10.254:1813 length 79 (58) User-Name = "luke" (58) NAS-IP-Address = 192.168.10.1 (58) NAS-Port = 1 (58) NAS-Identifier = "ISSmaster" (58) Acct-Status-Type = Start (58) Acct-Session-Id = "00e04c680422000f" (58) Acct-Authentic = RADIUS (58) # Executing section preacct from file /etc/freeradius/3.0/sites-enabled/default (58) preacct { (58) [preprocess] = ok (58) policy acct_unique { (58) update request { (58) Tmp-String-9 := "ai:" (58) } # update request = noop (58) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) { (58) EXPAND %{hex:&Class} (58) --> (58) EXPAND ^%{hex:&Tmp-String-9} (58) --> ^61693a (58) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE (58) else { (58) update request { (58) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}} (58) --> 1fb4d8352507149996c375b6fcf6885f (58) &Acct-Unique-Session-Id := 1fb4d8352507149996c375b6fcf6885f (58) } # update request = noop (58) } # else = noop (58) } # policy acct_unique = noop (58) suffix: Checking for suffix after "@" (58) suffix: No '@' in User-Name = "luke", looking up realm NULL (58) suffix: No such realm "NULL" (58) [suffix] = noop (58) [files] = noop (58) } # preacct = ok (58) # Executing section accounting from file /etc/freeradius/3.0/sites-enabled/default (58) accounting { (58) detail: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d (58) detail: --> /var/log/freeradius/radacct/192.168.10.1/detail-20190929 (58) detail: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.10.1/detail-20190929 (58) detail: EXPAND %t (58) detail: --> Sun Sep 29 01:41:14 2019 (58) [detail] = ok (58) [unix] = ok (58) [exec] = noop (58) attr_filter.accounting_response: EXPAND %{User-Name} (58) attr_filter.accounting_response: --> luke (58) attr_filter.accounting_response: Matched entry DEFAULT at line 12 (58) [attr_filter.accounting_response] = updated (58) } # accounting = updated (58) Sent Accounting-Response Id 15 from 192.168.10.254:1813 to 192.168.10.1:44173 length 0 (58) Finished request (58) Cleaning up request packet ID 15 with timestamp +2760 Waking up in 3.7 seconds. (48) Cleaning up request packet ID 1 with timestamp +2759 Waking up in 0.1 seconds. (49) Cleaning up request packet ID 2 with timestamp +2759 Waking up in 0.1 seconds. (50) Cleaning up request packet ID 3 with timestamp +2759 Waking up in 0.1 seconds. (51) Cleaning up request packet ID 4 with timestamp +2759 Waking up in 0.1 seconds. (52) Cleaning up request packet ID 5 with timestamp +2759 Waking up in 0.1 seconds. (53) Cleaning up request packet ID 6 with timestamp +2760 Waking up in 0.1 seconds. (54) Cleaning up request packet ID 7 with timestamp +2760 Waking up in 0.1 seconds. (55) Cleaning up request packet ID 8 with timestamp +2760 Waking up in 0.1 seconds. (56) Cleaning up request packet ID 9 with timestamp +2760 Waking up in 0.1 seconds. (57) Cleaning up request packet ID 10 with timestamp +2760 Ready to process requests ::: And we can succeed in pinging from the client to the server after passing the authentication as show below. ``` bash C:\Users\tomas> ping 192.168.10.254 -t Ping 192.168.10.254 (使用 32 位元組的資料): 回覆自 192.168.10.254: 目的地主機無法連線。 回覆自 192.168.10.254: 目的地主機無法連線。 回覆自 192.168.10.254: 目的地主機無法連線。 回覆自 192.168.10.254: 目的地主機無法連線。 回覆自 192.168.10.254: 目的地主機無法連線。 回覆自 192.168.10.254: 目的地主機無法連線。 回覆自 192.168.10.254: 目的地主機無法連線。 回覆自 192.168.10.254: 目的地主機無法連線。 回覆自 192.168.10.254: 目的地主機無法連線。 回覆自 192.168.10.254: 目的地主機無法連線。 回覆自 192.168.10.254: 目的地主機無法連線。 回覆自 192.168.10.254: 目的地主機無法連線。 回覆自 192.168.10.254: 目的地主機無法連線。 回覆自 192.168.10.254: 位元組=32 時間=7ms TTL=64 回覆自 192.168.10.254: 位元組=32 時間=1ms TTL=64 回覆自 192.168.10.254: 位元組=32 時間=3ms TTL=64 回覆自 192.168.10.254: 位元組=32 時間=2ms TTL=64 回覆自 192.168.10.254: 位元組=32 時間=1ms TTL=64 回覆自 192.168.10.254: 位元組=32 時間=1ms TTL=64 回覆自 192.168.10.254: 位元組=32 時間=1ms TTL=64 回覆自 192.168.10.254: 位元組=32 時間=1ms TTL=64 回覆自 192.168.10.254: 位元組=32 時間=2ms TTL=64 ``` ## Annex ### Troubleshoots 1. Error binding to port When executing freeradius -X repeatedly, I got an error as shown below. ``` Failed binding to auth address 127.0.0.1 port 18120 bound to server inner-tunnel: Address already in use /etc/freeradius/3.0/sites-enabled/inner-tunnel[33]: Error binding to port for 127.0.0.1 port 18120 ``` The reason is probably we launched freedius before and the solution is to kill the process we launched previously. ``` root@raspberrypi:/etc/freeradius/3.0# netstat -tulp | grep "18120" udp 0 0 localhost:18120 0.0.0.0:* 1661/freeradius ``` ``` root@raspberrypi:/etc/freeradius/3.0# kill 1661 ``` or ``` root@raspberrypi:/etc/freeradius/3.0# pidof freeradius | xargs kill -9 ``` ### Enable MD5 of network authentication method in Windows As shown in below figure, I am going to introduce how to enable MD5-Challenge network authentication method in Windows. ![](https://i.imgur.com/AXVLEL2.png) To achieve this, we have to add some machine codes in registry as shown below. ``` Go to run type regedit, inside that go the below location. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP 1. Create a new key value 4. 2. Create the 5 values as mentioned below. Value name: RolesSupported Value type: REG_DWORD Value data: 0000000a Value name: FriendlyName Value type: REG_SZ Value data: MD5-Challenge Value name: Path Value type: REG_EXPAND_SZ Value data: %SystemRoot%\System32\Raschap.dll Value name: InvokeUsernameDialog Value type: REG_DWORD Value data: 00000001 Value name: InvokePasswordDialog Value type: REG_DWORD Value data: 00000001 ``` ![](https://i.imgur.com/atzQW75.png) ## Reference https://faq.icto.um.edu.mo/%E5%A6%82%E4%BD%95%E5%9C%A8-windows-7-%E6%93%8D%E4%BD%9C%E7%B3%BB%E7%B5%B1%E4%B8%8A%E9%80%A3%E6%8E%A5%E6%BE%B3%E5%A4%A7%E6%9C%89%E7%B7%9A%E7%B6%B2%EF%BC%9F/?lang=zh-hant https://stackoverflow.com/questions/51335723/failed-binding-to-auth-address-127-0-0-1-port-18120-bound-to-server-inner-tunnel https://bidsarmanish.blogspot.com/2016/06/enabling-md5-challenge-in-windows_25.html