(0) Received Access-Request Id 5 from 192.168.254.20:53045 to 192.168.254.16:1812 length 247 (0) User-Name = "F6PJ500VNTH0" (0) NAS-IP-Address = 192.168.254.20 (0) NAS-Identifier = "7a455839b642" (0) Called-Station-Id = "7A-45-58-39-B6-42:arendtsen-secure" (0) NAS-Port-Type = Wireless-802.11 (0) Service-Type = Framed-User (0) Calling-Station-Id = "64-0B-D7-DE-4A-44" (0) Connect-Info = "CONNECT 0Mbps 802.11a" (0) Acct-Session-Id = "A489808D693B5946" (0) Acct-Multi-Session-Id = "BCC853EF4F45EAD6" (0) WLAN-Pairwise-Cipher = 1027081 (0) WLAN-Group-Cipher = 1027081 (0) WLAN-AKM-Suite = 1027084 (0) WLAN-Group-Mgmt-Cipher = 1027084 (0) Framed-MTU = 1400 (0) EAP-Message = 0x02740011014636504a353030564e544830 (0) Message-Authenticator = 0x4d41857a89ca88a82182fa1a7c42515e (0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "F6PJ500VNTH0", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: Peer sent EAP Response (code 2) ID 116 length 17 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_peap to process data (0) eap_peap: (TLS) Initiating new session (0) eap: Sending EAP Request (code 1) ID 117 length 6 (0) eap: EAP session adding &reply:State = 0xa3577425a3226d13 (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (0) Challenge { ... } # empty sub-section is ignored (0) session-state: Saving cached attributes (0) Framed-MTU = 994 (0) Sent Access-Challenge Id 5 from 192.168.254.16:1812 to 192.168.254.20:53045 length 64 (0) EAP-Message = 0x017500061920 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0xa3577425a3226d135063bdf3f7a6897e (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 6 from 192.168.254.20:53045 to 192.168.254.16:1812 length 254 (1) User-Name = "F6PJ500VNTH0" (1) NAS-IP-Address = 192.168.254.20 (1) NAS-Identifier = "7a455839b642" (1) Called-Station-Id = "7A-45-58-39-B6-42:arendtsen-secure" (1) NAS-Port-Type = Wireless-802.11 (1) Service-Type = Framed-User (1) Calling-Station-Id = "64-0B-D7-DE-4A-44" (1) Connect-Info = "CONNECT 0Mbps 802.11a" (1) Acct-Session-Id = "A489808D693B5946" (1) Acct-Multi-Session-Id = "BCC853EF4F45EAD6" (1) WLAN-Pairwise-Cipher = 1027081 (1) WLAN-Group-Cipher = 1027081 (1) WLAN-AKM-Suite = 1027084 (1) WLAN-Group-Mgmt-Cipher = 1027084 (1) Framed-MTU = 1400 (1) EAP-Message = 0x02750006030d (1) State = 0xa3577425a3226d135063bdf3f7a6897e (1) Message-Authenticator = 0xe563043e9b0488c0a524d6e76ff976a1 (1) Restoring &session-state (1) &session-state:Framed-MTU = 994 (1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "F6PJ500VNTH0", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: Peer sent EAP Response (code 2) ID 117 length 6 (1) eap: No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) [files] = noop rlm_ldap (ldap): Reserved connection (0) (1) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (1) ldap: --> (uid=F6PJ500VNTH0) (1) ldap: Performing search in "dc=users,dc=arendtsen,dc=dk" with filter "(uid=F6PJ500VNTH0)", scope "sub" (1) ldap: Waiting for search result... (1) ldap: User object found at DN "uid=F6PJ500VNTH0,ou=ipad,ou=devices,dc=users,dc=arendtsen,dc=dk" (1) ldap: Processing user attributes (1) ldap: control:Password-With-Header += 'F6PJ500VNTH0' (1) ldap: reply:Tunnel-Type := VLAN (1) ldap: reply:Tunnel-Medium-Type := IEEE-802 (1) ldap: reply:Tunnel-Private-Group-ID := '31' rlm_ldap (ldap): Released connection (0) Need more connections to reach 10 spares rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used rlm_ldap (ldap): Connecting to ldap://localhost:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Closing expired connection (4) - Hit idle_timeout limit rlm_ldap (ldap): Closing expired connection (3) - Hit idle_timeout limit rlm_ldap (ldap): Closing expired connection (2) - Hit idle_timeout limit rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): Closing expired connection (1) - Hit idle_timeout limit (1) [ldap] = updated (1) [expiration] = noop (1) [logintime] = noop (1) pap: No {...} in Password-With-Header, re-writing to Cleartext-Password (1) pap: Removing &control:Password-With-Header (1) pap: WARNING: Auth-Type already set. Not setting to PAP (1) [pap] = noop (1) } # authorize = updated (1) Found Auth-Type = eap (1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0xa3577425a3226d13 (1) eap: Finished EAP session with state 0xa3577425a3226d13 (1) eap: Previous EAP request found for state 0xa3577425a3226d13, released from the list (1) eap: Peer sent packet with method EAP NAK (3) (1) eap: Found mutually acceptable type TLS (13) (1) eap: Calling submodule eap_tls to process data (1) eap_tls: (TLS) Initiating new session (1) eap_tls: (TLS) Setting verify mode to require certificate from client (1) eap: Sending EAP Request (code 1) ID 118 length 6 (1) eap: EAP session adding &reply:State = 0xa3577425a2217913 (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (1) Challenge { ... } # empty sub-section is ignored (1) session-state: Saving cached attributes (1) Framed-MTU = 994 (1) Sent Access-Challenge Id 6 from 192.168.254.16:1812 to 192.168.254.20:53045 length 80 (1) Tunnel-Type := VLAN (1) Tunnel-Medium-Type := IEEE-802 (1) Tunnel-Private-Group-Id := "31" (1) EAP-Message = 0x017600060d20 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0xa3577425a22179135063bdf3f7a6897e (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 7 from 192.168.254.20:53045 to 192.168.254.16:1812 length 412 (2) User-Name = "F6PJ500VNTH0" (2) NAS-IP-Address = 192.168.254.20 (2) NAS-Identifier = "7a455839b642" (2) Called-Station-Id = "7A-45-58-39-B6-42:arendtsen-secure" (2) NAS-Port-Type = Wireless-802.11 (2) Service-Type = Framed-User (2) Calling-Station-Id = "64-0B-D7-DE-4A-44" (2) Connect-Info = "CONNECT 0Mbps 802.11a" (2) Acct-Session-Id = "A489808D693B5946" (2) Acct-Multi-Session-Id = "BCC853EF4F45EAD6" (2) WLAN-Pairwise-Cipher = 1027081 (2) WLAN-Group-Cipher = 1027081 (2) WLAN-AKM-Suite = 1027084 (2) WLAN-Group-Mgmt-Cipher = 1027084 (2) Framed-MTU = 1400 (2) EAP-Message = 0x027600a40d800000009a1603010095010000910303dbad5e0fc29f30d44c0c4af0b0edfb6fc2f724022b0e130d1352435a34148245000022c02cc02bcca9c030c02fcca8c00ac009c014c013009d009c0035002fc008c012000a0100004600170000ff01000100000a000a0008001d001700180019000b00020100000500050100000000000d001800160403080404010503020308050805050108060601020100120000 (2) State = 0xa3577425a22179135063bdf3f7a6897e (2) Message-Authenticator = 0x428cd7e6acce0d24b57545eae5fd2137 (2) Restoring &session-state (2) &session-state:Framed-MTU = 994 (2) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) suffix: Checking for suffix after "@" (2) suffix: No '@' in User-Name = "F6PJ500VNTH0", looking up realm NULL (2) suffix: No such realm "NULL" (2) [suffix] = noop (2) eap: Peer sent EAP Response (code 2) ID 118 length 164 (2) eap: No EAP Start, assuming it's an on-going EAP conversation (2) [eap] = updated (2) [files] = noop rlm_ldap (ldap): Reserved connection (0) (2) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (2) ldap: --> (uid=F6PJ500VNTH0) (2) ldap: Performing search in "dc=users,dc=arendtsen,dc=dk" with filter "(uid=F6PJ500VNTH0)", scope "sub" (2) ldap: Waiting for search result... (2) ldap: User object found at DN "uid=F6PJ500VNTH0,ou=ipad,ou=devices,dc=users,dc=arendtsen,dc=dk" (2) ldap: Processing user attributes (2) ldap: control:Password-With-Header += 'F6PJ500VNTH0' (2) ldap: reply:Tunnel-Type := VLAN (2) ldap: reply:Tunnel-Medium-Type := IEEE-802 (2) ldap: reply:Tunnel-Private-Group-ID := '31' rlm_ldap (ldap): Released connection (0) (2) [ldap] = updated (2) [expiration] = noop (2) [logintime] = noop (2) pap: No {...} in Password-With-Header, re-writing to Cleartext-Password (2) pap: Removing &control:Password-With-Header (2) pap: WARNING: Auth-Type already set. Not setting to PAP (2) [pap] = noop (2) } # authorize = updated (2) Found Auth-Type = eap (2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0xa3577425a2217913 (2) eap: Finished EAP session with state 0xa3577425a2217913 (2) eap: Previous EAP request found for state 0xa3577425a2217913, released from the list (2) eap: Peer sent packet with method EAP TLS (13) (2) eap: Calling submodule eap_tls to process data (2) eap_tls: (TLS) EAP Peer says that the final record size will be 154 bytes (2) eap_tls: (TLS) EAP Got all data (154 bytes) (2) eap_tls: (TLS) Handshake state - before SSL initialization (2) eap_tls: (TLS) Handshake state - Server before SSL initialization (2) eap_tls: (TLS) Handshake state - Server before SSL initialization (2) eap_tls: (TLS) recv TLS 1.3 Handshake, ClientHello (2) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read client hello (2) eap_tls: (TLS) send TLS 1.2 Handshake, ServerHello (2) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write server hello (2) eap_tls: (TLS) send TLS 1.2 Handshake, Certificate (2) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write certificate (2) eap_tls: (TLS) send TLS 1.2 Handshake, ServerKeyExchange (2) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write key exchange (2) eap_tls: (TLS) send TLS 1.2 Handshake, CertificateRequest (2) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write certificate request (2) eap_tls: (TLS) send TLS 1.2 Handshake, ServerHelloDone (2) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write server done (2) eap_tls: (TLS) Server : Need to read more data: SSLv3/TLS write server done (2) eap_tls: (TLS) In Handshake Phase (2) eap: Sending EAP Request (code 1) ID 119 length 1004 (2) eap: EAP session adding &reply:State = 0xa3577425a1207913 (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (2) Challenge { ... } # empty sub-section is ignored (2) session-state: Saving cached attributes (2) Framed-MTU = 994 (2) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (2) Sent Access-Challenge Id 7 from 192.168.254.16:1812 to 192.168.254.20:53045 length 1084 (2) Tunnel-Type := VLAN (2) Tunnel-Medium-Type := IEEE-802 (2) Tunnel-Private-Group-Id := "31" (2) EAP-Message = 0x017703ec0dc00000098f160303003d020000390303aa3d9b4c5ec0dbfe3ca7e5d3028aeaa1e18ec4e598ae43eb708e300bb21dbf0100c030000011ff01000100000b0004030001020017000016030307050b0007010006fe0006fb308206f73082055fa003020102020a4fff11373021e4b7f7d0300d06092a864886f70d01010b05003052310b300906035504061302444b31123010060355040a0c094172656e647473656e312f302d06035504030c264172656e647473656e2053657276657273204973737573696e67204341203230323131303130301e170d3233303732323232313430335a170d3234303132323232313430335a306a31123010060a0992268993f22c6401191602646b31193017060a0992268993f22c64011916096172656e647473656e31123010060a0992268993f22c640119160263613125302306035504030c1c6175746830322e696e7465726e616c2e6172656e647473656e2e646b308201a2300d06092a864886f70d010101050003 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0xa3577425a12079135063bdf3f7a6897e (2) Finished request Waking up in 4.8 seconds. (3) Received Access-Request Id 8 from 192.168.254.20:53045 to 192.168.254.16:1812 length 254 (3) User-Name = "F6PJ500VNTH0" (3) NAS-IP-Address = 192.168.254.20 (3) NAS-Identifier = "7a455839b642" (3) Called-Station-Id = "7A-45-58-39-B6-42:arendtsen-secure" (3) NAS-Port-Type = Wireless-802.11 (3) Service-Type = Framed-User (3) Calling-Station-Id = "64-0B-D7-DE-4A-44" (3) Connect-Info = "CONNECT 0Mbps 802.11a" (3) Acct-Session-Id = "A489808D693B5946" (3) Acct-Multi-Session-Id = "BCC853EF4F45EAD6" (3) WLAN-Pairwise-Cipher = 1027081 (3) WLAN-Group-Cipher = 1027081 (3) WLAN-AKM-Suite = 1027084 (3) WLAN-Group-Mgmt-Cipher = 1027084 (3) Framed-MTU = 1400 (3) EAP-Message = 0x027700060d00 (3) State = 0xa3577425a12079135063bdf3f7a6897e (3) Message-Authenticator = 0x4cc2701460b9a1736a37ce69d62bbaa8 (3) Restoring &session-state (3) &session-state:Framed-MTU = 994 (3) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (3) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (3) authorize { (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = notfound (3) } # policy filter_username = notfound (3) [preprocess] = ok (3) suffix: Checking for suffix after "@" (3) suffix: No '@' in User-Name = "F6PJ500VNTH0", looking up realm NULL (3) suffix: No such realm "NULL" (3) [suffix] = noop (3) eap: Peer sent EAP Response (code 2) ID 119 length 6 (3) eap: No EAP Start, assuming it's an on-going EAP conversation (3) [eap] = updated (3) [files] = noop rlm_ldap (ldap): Reserved connection (5) (3) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (3) ldap: --> (uid=F6PJ500VNTH0) (3) ldap: Performing search in "dc=users,dc=arendtsen,dc=dk" with filter "(uid=F6PJ500VNTH0)", scope "sub" (3) ldap: Waiting for search result... (3) ldap: User object found at DN "uid=F6PJ500VNTH0,ou=ipad,ou=devices,dc=users,dc=arendtsen,dc=dk" (3) ldap: Processing user attributes (3) ldap: control:Password-With-Header += 'F6PJ500VNTH0' (3) ldap: reply:Tunnel-Type := VLAN (3) ldap: reply:Tunnel-Medium-Type := IEEE-802 (3) ldap: reply:Tunnel-Private-Group-ID := '31' rlm_ldap (ldap): Released connection (5) (3) [ldap] = updated (3) [expiration] = noop (3) [logintime] = noop (3) pap: No {...} in Password-With-Header, re-writing to Cleartext-Password (3) pap: Removing &control:Password-With-Header (3) pap: WARNING: Auth-Type already set. Not setting to PAP (3) [pap] = noop (3) } # authorize = updated (3) Found Auth-Type = eap (3) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (3) authenticate { (3) eap: Expiring EAP session with state 0xa3577425a1207913 (3) eap: Finished EAP session with state 0xa3577425a1207913 (3) eap: Previous EAP request found for state 0xa3577425a1207913, released from the list (3) eap: Peer sent packet with method EAP TLS (13) (3) eap: Calling submodule eap_tls to process data (3) eap_tls: (TLS) Peer ACKed our handshake fragment (3) eap: Sending EAP Request (code 1) ID 120 length 1004 (3) eap: EAP session adding &reply:State = 0xa3577425a02f7913 (3) [eap] = handled (3) } # authenticate = handled (3) Using Post-Auth-Type Challenge (3) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (3) Challenge { ... } # empty sub-section is ignored (3) session-state: Saving cached attributes (3) Framed-MTU = 994 (3) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (3) Sent Access-Challenge Id 8 from 192.168.254.16:1812 to 192.168.254.20:53045 length 1084 (3) Tunnel-Type := VLAN (3) Tunnel-Medium-Type := IEEE-802 (3) Tunnel-Private-Group-Id := "31" (3) EAP-Message = 0x017803ec0dc00000098f2f706b692e6172656e647473656e2e646b2f646f776e6c6f61642f4172656e647473656e5f536572766572735f4973737573696e675f43415f32303231313031302e63726c30130603551d25040c300a06082b06010505070301300e0603551d0f0101ff0404030203a83081aa0603551d200481a230819f30819c06032a0304308194302c06082b060105050702011620687474703a2f2f706b692e6172656e647473656e2e646b2f6370732e68746d6c302c06082b060105050702011620687474703a2f2f706b692e6172656e647473656e2e646b2f6370732e68746d6c303606082b06010505070202302a1a2854686973206973206120636f6d6d656e7420666f7220706f6c696379206f696420312e322e332e3430819d0603551d11048195308192821a617574682e696e7465726e616c2e6172656e647473656e2e646b821c6175746830322e696e7465726e616c2e6172656e647473656e2e646b821c6c64617030322e696e746572 (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0xa3577425a02f79135063bdf3f7a6897e (3) Finished request Waking up in 4.8 seconds. (4) Received Access-Request Id 9 from 192.168.254.20:53045 to 192.168.254.16:1812 length 254 (4) User-Name = "F6PJ500VNTH0" (4) NAS-IP-Address = 192.168.254.20 (4) NAS-Identifier = "7a455839b642" (4) Called-Station-Id = "7A-45-58-39-B6-42:arendtsen-secure" (4) NAS-Port-Type = Wireless-802.11 (4) Service-Type = Framed-User (4) Calling-Station-Id = "64-0B-D7-DE-4A-44" (4) Connect-Info = "CONNECT 0Mbps 802.11a" (4) Acct-Session-Id = "A489808D693B5946" (4) Acct-Multi-Session-Id = "BCC853EF4F45EAD6" (4) WLAN-Pairwise-Cipher = 1027081 (4) WLAN-Group-Cipher = 1027081 (4) WLAN-AKM-Suite = 1027084 (4) WLAN-Group-Mgmt-Cipher = 1027084 (4) Framed-MTU = 1400 (4) EAP-Message = 0x027800060d00 (4) State = 0xa3577425a02f79135063bdf3f7a6897e (4) Message-Authenticator = 0x8ff9e6940aaddc48debb36a300583c8e (4) Restoring &session-state (4) &session-state:Framed-MTU = 994 (4) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (4) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (4) authorize { (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = notfound (4) } # policy filter_username = notfound (4) [preprocess] = ok (4) suffix: Checking for suffix after "@" (4) suffix: No '@' in User-Name = "F6PJ500VNTH0", looking up realm NULL (4) suffix: No such realm "NULL" (4) [suffix] = noop (4) eap: Peer sent EAP Response (code 2) ID 120 length 6 (4) eap: No EAP Start, assuming it's an on-going EAP conversation (4) [eap] = updated (4) [files] = noop rlm_ldap (ldap): Reserved connection (0) (4) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (4) ldap: --> (uid=F6PJ500VNTH0) (4) ldap: Performing search in "dc=users,dc=arendtsen,dc=dk" with filter "(uid=F6PJ500VNTH0)", scope "sub" (4) ldap: Waiting for search result... (4) ldap: User object found at DN "uid=F6PJ500VNTH0,ou=ipad,ou=devices,dc=users,dc=arendtsen,dc=dk" (4) ldap: Processing user attributes (4) ldap: control:Password-With-Header += 'F6PJ500VNTH0' (4) ldap: reply:Tunnel-Type := VLAN (4) ldap: reply:Tunnel-Medium-Type := IEEE-802 (4) ldap: reply:Tunnel-Private-Group-ID := '31' rlm_ldap (ldap): Released connection (0) (4) [ldap] = updated (4) [expiration] = noop (4) [logintime] = noop (4) pap: No {...} in Password-With-Header, re-writing to Cleartext-Password (4) pap: Removing &control:Password-With-Header (4) pap: WARNING: Auth-Type already set. Not setting to PAP (4) [pap] = noop (4) } # authorize = updated (4) Found Auth-Type = eap (4) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (4) authenticate { (4) eap: Expiring EAP session with state 0xa3577425a02f7913 (4) eap: Finished EAP session with state 0xa3577425a02f7913 (4) eap: Previous EAP request found for state 0xa3577425a02f7913, released from the list (4) eap: Peer sent packet with method EAP TLS (13) (4) eap: Calling submodule eap_tls to process data (4) eap_tls: (TLS) Peer ACKed our handshake fragment (4) eap: Sending EAP Request (code 1) ID 121 length 469 (4) eap: EAP session adding &reply:State = 0xa3577425a72e7913 (4) [eap] = handled (4) } # authenticate = handled (4) Using Post-Auth-Type Challenge (4) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (4) Challenge { ... } # empty sub-section is ignored (4) session-state: Saving cached attributes (4) Framed-MTU = 994 (4) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (4) Sent Access-Challenge Id 9 from 192.168.254.16:1812 to 192.168.254.20:53045 length 545 (4) Tunnel-Type := VLAN (4) Tunnel-Medium-Type := IEEE-802 (4) Tunnel-Private-Group-Id := "31" (4) EAP-Message = 0x017901d50d800000098f68d35ec02f9d9b5e479eafe848689417ff3136c59ca717e0356117957a122ae06e7904cf1bbddd7236f22e83d30d3b637220c4e9bcfbf94fddcd111df07a8bb114ea9d35a25c0bf774c2a2696cc1ec26fc2d02a1bf283627d5380aa178bbc8688df0c06c457db22b22f68869543d5041b96100c2504dde5bdcbf960ece8673c018aac7f40450bcba62bd4530a9bfe969ef094357fdb1b3c3c589666197e9317af6b79797b58567a9a9bfa64381749d09da1dadebaf805db6ce46d73ae3590cf92da844e884ebeebb0d8c4531fb517b959b2a4bbc72e79a21819320ca8652b6aebe3417e42613bc3c954066ea37e02e962efc578c6d8408af6e2dfc2d58cf6bd643d9da7b0c9d10049c8cb7f1a88363f6bc158c498cbed7a2951897d8d57270dfd96bcc3accc249f0b81cb9958ea848039cab14712d849cd776f536c8c96c2fbb8f7290e4b3bb6b2c3bc7c79cc30772b3abb93b712d0bec509e3a16030300630d00005f03010240002e04030503 (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0xa3577425a72e79135063bdf3f7a6897e (4) Finished request Waking up in 4.8 seconds. (5) Received Access-Request Id 10 from 192.168.254.20:53045 to 192.168.254.16:1812 length 1534 (5) User-Name = "F6PJ500VNTH0" (5) NAS-IP-Address = 192.168.254.20 (5) NAS-Identifier = "7a455839b642" (5) Called-Station-Id = "7A-45-58-39-B6-42:arendtsen-secure" (5) NAS-Port-Type = Wireless-802.11 (5) Service-Type = Framed-User (5) Calling-Station-Id = "64-0B-D7-DE-4A-44" (5) Connect-Info = "CONNECT 0Mbps 802.11a" (5) Acct-Session-Id = "A489808D693B5946" (5) Acct-Multi-Session-Id = "BCC853EF4F45EAD6" (5) WLAN-Pairwise-Cipher = 1027081 (5) WLAN-Group-Cipher = 1027081 (5) WLAN-AKM-Suite = 1027084 (5) WLAN-Group-Mgmt-Cipher = 1027084 (5) Framed-MTU = 1400 (5) EAP-Message = 0x027904fc0dc0000010671603030ed70b000ed3000ed00005df308205db30820443a003020102020a6cff7e76695b0cf259f0300d06092a864886f70d01010b05003052310b300906035504061302444b31123010060355040a0c094172656e647473656e312f302d06035504030c264172656e647473656e2044657669636573204973737573696e67204341203230323131303131301e170d3233303733313230333935395a170d3234303733313230333935395a306e31123010060a0992268993f22c6401191602646b31193017060a0992268993f22c64011916096172656e647473656e31173015060a0992268993f22c640119160764657669636573310d300b060355040b0c04697061643115301306035504030c0c4636504a353030564e54483030820122300d06092a864886f70d01010105000382010f003082010a0282010100ceb81cc2e73b30d8bebd5867d25e931f1522b3f4c1776622728fc42c6aa60366a2ceeabab822105dbbe9cf282fdb2a1543 (5) State = 0xa3577425a72e79135063bdf3f7a6897e (5) Message-Authenticator = 0xb6278bb2893c3f7ad22bdf9e1feb53f7 (5) Restoring &session-state (5) &session-state:Framed-MTU = 994 (5) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (5) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) [preprocess] = ok (5) suffix: Checking for suffix after "@" (5) suffix: No '@' in User-Name = "F6PJ500VNTH0", looking up realm NULL (5) suffix: No such realm "NULL" (5) [suffix] = noop (5) eap: Peer sent EAP Response (code 2) ID 121 length 1276 (5) eap: No EAP Start, assuming it's an on-going EAP conversation (5) [eap] = updated (5) [files] = noop rlm_ldap (ldap): Reserved connection (5) (5) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (5) ldap: --> (uid=F6PJ500VNTH0) (5) ldap: Performing search in "dc=users,dc=arendtsen,dc=dk" with filter "(uid=F6PJ500VNTH0)", scope "sub" (5) ldap: Waiting for search result... (5) ldap: User object found at DN "uid=F6PJ500VNTH0,ou=ipad,ou=devices,dc=users,dc=arendtsen,dc=dk" (5) ldap: Processing user attributes (5) ldap: control:Password-With-Header += 'F6PJ500VNTH0' (5) ldap: reply:Tunnel-Type := VLAN (5) ldap: reply:Tunnel-Medium-Type := IEEE-802 (5) ldap: reply:Tunnel-Private-Group-ID := '31' rlm_ldap (ldap): Released connection (5) (5) [ldap] = updated (5) [expiration] = noop (5) [logintime] = noop (5) pap: No {...} in Password-With-Header, re-writing to Cleartext-Password (5) pap: Removing &control:Password-With-Header (5) pap: WARNING: Auth-Type already set. Not setting to PAP (5) [pap] = noop (5) } # authorize = updated (5) Found Auth-Type = eap (5) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (5) authenticate { (5) eap: Expiring EAP session with state 0xa3577425a72e7913 (5) eap: Finished EAP session with state 0xa3577425a72e7913 (5) eap: Previous EAP request found for state 0xa3577425a72e7913, released from the list (5) eap: Peer sent packet with method EAP TLS (13) (5) eap: Calling submodule eap_tls to process data (5) eap_tls: (TLS) EAP Peer says that the final record size will be 4199 bytes (5) eap_tls: (TLS) EAP Expecting 4 fragments (5) eap_tls: (TLS) EAP Got first TLS fragment (1266 bytes). Peer says more fragments will follow (5) eap_tls: (TLS) EAP ACKing fragment, the peer should send more data. (5) eap: Sending EAP Request (code 1) ID 122 length 6 (5) eap: EAP session adding &reply:State = 0xa3577425a62d7913 (5) [eap] = handled (5) } # authenticate = handled (5) Using Post-Auth-Type Challenge (5) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (5) Challenge { ... } # empty sub-section is ignored (5) session-state: Saving cached attributes (5) Framed-MTU = 994 (5) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (5) Sent Access-Challenge Id 10 from 192.168.254.16:1812 to 192.168.254.20:53045 length 80 (5) Tunnel-Type := VLAN (5) Tunnel-Medium-Type := IEEE-802 (5) Tunnel-Private-Group-Id := "31" (5) EAP-Message = 0x017a00060d00 (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0xa3577425a62d79135063bdf3f7a6897e (5) Finished request Waking up in 4.8 seconds. (6) Received Access-Request Id 11 from 192.168.254.20:53045 to 192.168.254.16:1812 length 1534 (6) User-Name = "F6PJ500VNTH0" (6) NAS-IP-Address = 192.168.254.20 (6) NAS-Identifier = "7a455839b642" (6) Called-Station-Id = "7A-45-58-39-B6-42:arendtsen-secure" (6) NAS-Port-Type = Wireless-802.11 (6) Service-Type = Framed-User (6) Calling-Station-Id = "64-0B-D7-DE-4A-44" (6) Connect-Info = "CONNECT 0Mbps 802.11a" (6) Acct-Session-Id = "A489808D693B5946" (6) Acct-Multi-Session-Id = "BCC853EF4F45EAD6" (6) WLAN-Pairwise-Cipher = 1027081 (6) WLAN-Group-Cipher = 1027081 (6) WLAN-AKM-Suite = 1027084 (6) WLAN-Group-Mgmt-Cipher = 1027084 (6) Framed-MTU = 1400 (6) EAP-Message = 0x027a04fc0d407d4b4626885f9b2d2ee89b3861413d77298f3e023b94e850cefb9e6de37835294e2751ab93b97fc1c4f8dfedaccc865d966a2f7ac5afdf9c2d75882b98e344034249f92e7b9c577977f7aad17efe1e1b61abe7376996c4655ec08f06a9481ba27284680d3c2237a6db38aa238ca258ac00ebdc6d3f55e46e7805ddd0fb716ad6e00399ed82ba21ffe076a6e01c764ab07ec431eb7476f43004191999e4a71638b2aaee9730ed472b147d8e56fd8f8f5a91c82a1a459ea854be39af75f7d5f971fa374bbb893ad8bb51b4dc341e5aedc15edfcd788f05bc25828f8d68b69f8b310fbe6aba64b5c37a99b237e0eef8c03d3c08fb3588d46ba7d1b82c4a0004ac308204a830820310a0030201020214714cce994724fbab9c091bbe8d98c700e39a3efb300d06092a864886f70d01010b050030253123302106035504030c1a4172656e647473656e20526f6f74204341203230323130383233301e170d3231313031313139313730385a170d323631303133 (6) State = 0xa3577425a62d79135063bdf3f7a6897e (6) Message-Authenticator = 0x896be04e1fb48d125db4e66631e2a671 (6) Restoring &session-state (6) &session-state:Framed-MTU = 994 (6) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (6) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) [preprocess] = ok (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "F6PJ500VNTH0", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) eap: Peer sent EAP Response (code 2) ID 122 length 1276 (6) eap: No EAP Start, assuming it's an on-going EAP conversation (6) [eap] = updated (6) [files] = noop rlm_ldap (ldap): Reserved connection (0) (6) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (6) ldap: --> (uid=F6PJ500VNTH0) (6) ldap: Performing search in "dc=users,dc=arendtsen,dc=dk" with filter "(uid=F6PJ500VNTH0)", scope "sub" (6) ldap: Waiting for search result... (6) ldap: User object found at DN "uid=F6PJ500VNTH0,ou=ipad,ou=devices,dc=users,dc=arendtsen,dc=dk" (6) ldap: Processing user attributes (6) ldap: control:Password-With-Header += 'F6PJ500VNTH0' (6) ldap: reply:Tunnel-Type := VLAN (6) ldap: reply:Tunnel-Medium-Type := IEEE-802 (6) ldap: reply:Tunnel-Private-Group-ID := '31' rlm_ldap (ldap): Released connection (0) (6) [ldap] = updated (6) [expiration] = noop (6) [logintime] = noop (6) pap: No {...} in Password-With-Header, re-writing to Cleartext-Password (6) pap: Removing &control:Password-With-Header (6) pap: WARNING: Auth-Type already set. Not setting to PAP (6) [pap] = noop (6) } # authorize = updated (6) Found Auth-Type = eap (6) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (6) authenticate { (6) eap: Expiring EAP session with state 0xa3577425a62d7913 (6) eap: Finished EAP session with state 0xa3577425a62d7913 (6) eap: Previous EAP request found for state 0xa3577425a62d7913, released from the list (6) eap: Peer sent packet with method EAP TLS (13) (6) eap: Calling submodule eap_tls to process data (6) eap_tls: (TLS) EAP Got additional fragment (1270 bytes). Peer says more fragments will follow (6) eap_tls: (TLS) EAP ACKing fragment, the peer should send more data. (6) eap: Sending EAP Request (code 1) ID 123 length 6 (6) eap: EAP session adding &reply:State = 0xa3577425a52c7913 (6) [eap] = handled (6) } # authenticate = handled (6) Using Post-Auth-Type Challenge (6) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (6) Challenge { ... } # empty sub-section is ignored (6) session-state: Saving cached attributes (6) Framed-MTU = 994 (6) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (6) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (6) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (6) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (6) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (6) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (6) Sent Access-Challenge Id 11 from 192.168.254.16:1812 to 192.168.254.20:53045 length 80 (6) Tunnel-Type := VLAN (6) Tunnel-Medium-Type := IEEE-802 (6) Tunnel-Private-Group-Id := "31" (6) EAP-Message = 0x017b00060d00 (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0xa3577425a52c79135063bdf3f7a6897e (6) Finished request Waking up in 4.8 seconds. (7) Received Access-Request Id 12 from 192.168.254.20:53045 to 192.168.254.16:1812 length 1534 (7) User-Name = "F6PJ500VNTH0" (7) NAS-IP-Address = 192.168.254.20 (7) NAS-Identifier = "7a455839b642" (7) Called-Station-Id = "7A-45-58-39-B6-42:arendtsen-secure" (7) NAS-Port-Type = Wireless-802.11 (7) Service-Type = Framed-User (7) Calling-Station-Id = "64-0B-D7-DE-4A-44" (7) Connect-Info = "CONNECT 0Mbps 802.11a" (7) Acct-Session-Id = "A489808D693B5946" (7) Acct-Multi-Session-Id = "BCC853EF4F45EAD6" (7) WLAN-Pairwise-Cipher = 1027081 (7) WLAN-Group-Cipher = 1027081 (7) WLAN-AKM-Suite = 1027084 (7) WLAN-Group-Mgmt-Cipher = 1027084 (7) Framed-MTU = 1400 (7) EAP-Message = 0x027b04fc0d40774a1d86a204d65556858a26fe4c0c29f00a5892de191045a9f00e600a749013c1b9184c43b0b246dfd5f9a590119b921a7fe52f2b9f3d98dffacd7a3e47a1ebd086446439168557137d936efe15a0c5f681daa949b4bac170b5f7de2243a0fe5b47a610883b41fbd44340c48b7f8707e03d4acea310bad731b4eb6bf4e49d8df130d535ac6642338f8d4e09b8c0b53281d535b0ebc2ca03c99cbaf192359a0d412dc70900e05ac47b14a0de768f23b5202b97cb5000043c30820438308202a0a00302010202147b4cf83e65f4f0080e65db4a8bbf787d00690640300d06092a864886f70d01010b050030253123302106035504030c1a4172656e647473656e20526f6f74204341203230323130383233301e170d3231303832333138303630325a170d3331303832363138303630325a30253123302106035504030c1a4172656e647473656e20526f6f74204341203230323130383233308201a2300d06092a864886f70d01010105000382018f0030 (7) State = 0xa3577425a52c79135063bdf3f7a6897e (7) Message-Authenticator = 0x323eb2446fd39b9a7855c58a6747da6d (7) Restoring &session-state (7) &session-state:Framed-MTU = 994 (7) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (7) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (7) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (7) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (7) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (7) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (7) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) [preprocess] = ok (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "F6PJ500VNTH0", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) eap: Peer sent EAP Response (code 2) ID 123 length 1276 (7) eap: No EAP Start, assuming it's an on-going EAP conversation (7) [eap] = updated (7) [files] = noop rlm_ldap (ldap): Reserved connection (5) (7) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (7) ldap: --> (uid=F6PJ500VNTH0) (7) ldap: Performing search in "dc=users,dc=arendtsen,dc=dk" with filter "(uid=F6PJ500VNTH0)", scope "sub" (7) ldap: Waiting for search result... (7) ldap: User object found at DN "uid=F6PJ500VNTH0,ou=ipad,ou=devices,dc=users,dc=arendtsen,dc=dk" (7) ldap: Processing user attributes (7) ldap: control:Password-With-Header += 'F6PJ500VNTH0' (7) ldap: reply:Tunnel-Type := VLAN (7) ldap: reply:Tunnel-Medium-Type := IEEE-802 (7) ldap: reply:Tunnel-Private-Group-ID := '31' rlm_ldap (ldap): Released connection (5) (7) [ldap] = updated (7) [expiration] = noop (7) [logintime] = noop (7) pap: No {...} in Password-With-Header, re-writing to Cleartext-Password (7) pap: Removing &control:Password-With-Header (7) pap: WARNING: Auth-Type already set. Not setting to PAP (7) [pap] = noop (7) } # authorize = updated (7) Found Auth-Type = eap (7) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (7) authenticate { (7) eap: Expiring EAP session with state 0xa3577425a52c7913 (7) eap: Finished EAP session with state 0xa3577425a52c7913 (7) eap: Previous EAP request found for state 0xa3577425a52c7913, released from the list (7) eap: Peer sent packet with method EAP TLS (13) (7) eap: Calling submodule eap_tls to process data (7) eap_tls: (TLS) EAP Got additional fragment (1270 bytes). Peer says more fragments will follow (7) eap_tls: (TLS) EAP ACKing fragment, the peer should send more data. (7) eap: Sending EAP Request (code 1) ID 124 length 6 (7) eap: EAP session adding &reply:State = 0xa3577425a42b7913 (7) [eap] = handled (7) } # authenticate = handled (7) Using Post-Auth-Type Challenge (7) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (7) Challenge { ... } # empty sub-section is ignored (7) session-state: Saving cached attributes (7) Framed-MTU = 994 (7) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (7) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (7) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (7) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (7) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (7) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (7) Sent Access-Challenge Id 12 from 192.168.254.16:1812 to 192.168.254.20:53045 length 80 (7) Tunnel-Type := VLAN (7) Tunnel-Medium-Type := IEEE-802 (7) Tunnel-Private-Group-Id := "31" (7) EAP-Message = 0x017c00060d00 (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0xa3577425a42b79135063bdf3f7a6897e (7) Finished request Waking up in 4.7 seconds. (8) Received Access-Request Id 13 from 192.168.254.20:53045 to 192.168.254.16:1812 length 649 (8) User-Name = "F6PJ500VNTH0" (8) NAS-IP-Address = 192.168.254.20 (8) NAS-Identifier = "7a455839b642" (8) Called-Station-Id = "7A-45-58-39-B6-42:arendtsen-secure" (8) NAS-Port-Type = Wireless-802.11 (8) Service-Type = Framed-User (8) Calling-Station-Id = "64-0B-D7-DE-4A-44" (8) Connect-Info = "CONNECT 0Mbps 802.11a" (8) Acct-Session-Id = "A489808D693B5946" (8) Acct-Multi-Session-Id = "BCC853EF4F45EAD6" (8) WLAN-Pairwise-Cipher = 1027081 (8) WLAN-Group-Cipher = 1027081 (8) WLAN-AKM-Suite = 1027084 (8) WLAN-Group-Mgmt-Cipher = 1027084 (8) Framed-MTU = 1400 (8) EAP-Message = 0x027c018f0d000300461000004241047865438459fa2013ee1a150a65a08bc1df12d12cfc511ac8342edea71ed2a5e7ef25e0e1da6e2a631c678c028f5fdcff945038d03a46abe06d9b857633734d5416030301080f0001040804010046c3ceb5bd2dc2426cb31d57309f60f9d522cecd543050dd4c4ded9f36513faf4fdefef1226d7a537fc48491a8465952b8940ebeed1aef9519d2ca531b420f4dbef8a6ba2abaac1fb5f303ec19d9db81ec29c59f5ddcedf2c6c71ee0297bbd8608db9ca1cb1bc6115d5a34fb5aa6f19808c8b56af9e09b7415e9df6837fd5520b7602b56b2b89cbafe95eb3545e862839594d107c8b336fdc9ee137a2e3261ca3583e4149895fd7a860cab8ebd7f0646223ac82306ca946785955c86a6a2beadf9f9f90abd158443915176848202fc82527f06898bc12737829f7eed2873f2db0765e3515f81a88cb974fe1c1d031b38624f6f145d71b40b54c7ec410d3f14ef14030300010116030300280000000000000000d22306e999aecf8e (8) State = 0xa3577425a42b79135063bdf3f7a6897e (8) Message-Authenticator = 0x5a889c38455a3b19570a511843489231 (8) Restoring &session-state (8) &session-state:Framed-MTU = 994 (8) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (8) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (8) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (8) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (8) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (8) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (8) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (8) authorize { (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = notfound (8) } # policy filter_username = notfound (8) [preprocess] = ok (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "F6PJ500VNTH0", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) eap: Peer sent EAP Response (code 2) ID 124 length 399 (8) eap: No EAP Start, assuming it's an on-going EAP conversation (8) [eap] = updated (8) [files] = noop rlm_ldap (ldap): Reserved connection (0) (8) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (8) ldap: --> (uid=F6PJ500VNTH0) (8) ldap: Performing search in "dc=users,dc=arendtsen,dc=dk" with filter "(uid=F6PJ500VNTH0)", scope "sub" (8) ldap: Waiting for search result... (8) ldap: User object found at DN "uid=F6PJ500VNTH0,ou=ipad,ou=devices,dc=users,dc=arendtsen,dc=dk" (8) ldap: Processing user attributes (8) ldap: control:Password-With-Header += 'F6PJ500VNTH0' (8) ldap: reply:Tunnel-Type := VLAN (8) ldap: reply:Tunnel-Medium-Type := IEEE-802 (8) ldap: reply:Tunnel-Private-Group-ID := '31' rlm_ldap (ldap): Released connection (0) (8) [ldap] = updated (8) [expiration] = noop (8) [logintime] = noop (8) pap: No {...} in Password-With-Header, re-writing to Cleartext-Password (8) pap: Removing &control:Password-With-Header (8) pap: WARNING: Auth-Type already set. Not setting to PAP (8) [pap] = noop (8) } # authorize = updated (8) Found Auth-Type = eap (8) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (8) authenticate { (8) eap: Expiring EAP session with state 0xa3577425a42b7913 (8) eap: Finished EAP session with state 0xa3577425a42b7913 (8) eap: Previous EAP request found for state 0xa3577425a42b7913, released from the list (8) eap: Peer sent packet with method EAP TLS (13) (8) eap: Calling submodule eap_tls to process data (8) eap_tls: (TLS) EAP Got final fragment (393 bytes) (8) eap_tls: (TLS) EAP Done initial handshake (8) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write server done (8) eap_tls: (TLS) recv TLS 1.2 Handshake, Certificate (8) eap_tls: (TLS) Creating attributes from ????? ?? certificate (8) eap_tls: (TLS) Creating attributes from server certificate (8) eap_tls: TLS-Cert-Serial := "714cce994724fbab9c091bbe8d98c700e39a3efb" (8) eap_tls: TLS-Cert-Expiration := "261013191708Z" (8) eap_tls: TLS-Cert-Valid-Since := "211011191708Z" (8) eap_tls: TLS-Cert-Subject := "/C=DK/O=Arendtsen/CN=Arendtsen Devices Issusing CA 20211011" (8) eap_tls: TLS-Cert-Issuer := "/CN=Arendtsen Root CA 20210823" (8) eap_tls: TLS-Cert-Common-Name := "Arendtsen Devices Issusing CA 20211011" (8) eap_tls: (TLS) Creating attributes from client certificate (8) eap_tls: TLS-Client-Cert-Serial := "6cff7e76695b0cf259f0" (8) eap_tls: TLS-Client-Cert-Expiration := "240731203959Z" (8) eap_tls: TLS-Client-Cert-Valid-Since := "230731203959Z" (8) eap_tls: TLS-Client-Cert-Subject := "/DC=dk/DC=arendtsen/DC=devices/OU=ipad/CN=F6PJ500VNTH0" (8) eap_tls: TLS-Client-Cert-Issuer := "/C=DK/O=Arendtsen/CN=Arendtsen Devices Issusing CA 20211011" (8) eap_tls: TLS-Client-Cert-Common-Name := "F6PJ500VNTH0" (8) eap_tls: TLS-Client-Cert-X509v3-Authority-Key-Identifier += "keyid:10:1C:A7:8C:D7:17:69:61:C6:0B:F3:8F:B2:D4:7E:EC:0D:11:82:27\n" (8) eap_tls: TLS-Client-Cert-X509v3-Basic-Constraints += "CA:FALSE" (8) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication" (8) eap_tls: TLS-Client-Cert-X509v3-Certificate-Policies += "Policy: 1.2.3.4\n CPS: http://pki.arendtsen.dk/cps.html\n CPS: http://pki.arendtsen.dk/cps.html\n User Notice:\n Explicit Text: This is a comment for policy oid 1.2.3.4\n" (8) eap_tls: TLS-Client-Cert-X509v3-Subject-Key-Identifier += "81:17:16:D4:F4:AC:85:99:09:6C:53:F2:B6:F5:EE:76:E0:88:45:EA" (8) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2" Certificate chain - 2 cert(s) untrusted (TLS) untrusted certificate with depth [2] subject name /CN=Arendtsen Root CA 20210823 (TLS) untrusted certificate with depth [1] subject name /C=DK/O=Arendtsen/CN=Arendtsen Devices Issusing CA 20211011 (TLS) untrusted certificate with depth [0] subject name /DC=dk/DC=arendtsen/DC=devices/OU=ipad/CN=F6PJ500VNTH0 (8) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read client certificate (8) eap_tls: (TLS) recv TLS 1.2 Handshake, ClientKeyExchange (8) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read client key exchange (8) eap_tls: (TLS) recv TLS 1.2 Handshake, CertificateVerify (8) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read certificate verify (8) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read change cipher spec (8) eap_tls: (TLS) recv TLS 1.2 Handshake, Finished (8) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read finished (8) eap_tls: (TLS) send TLS 1.2 ChangeCipherSpec (8) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write change cipher spec (8) eap_tls: (TLS) send TLS 1.2 Handshake, Finished (8) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write finished (8) eap_tls: (TLS) Handshake state - SSL negotiation finished successfully (8) eap_tls: (TLS) Connection Established (8) eap_tls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (8) eap_tls: TLS-Session-Version = "TLS 1.2" (8) eap: Sending EAP Request (code 1) ID 125 length 61 (8) eap: EAP session adding &reply:State = 0xa3577425ab2a7913 (8) [eap] = handled (8) } # authenticate = handled (8) Using Post-Auth-Type Challenge (8) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (8) Challenge { ... } # empty sub-section is ignored (8) session-state: Saving cached attributes (8) Framed-MTU = 994 (8) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (8) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (8) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (8) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (8) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (8) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (8) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Certificate" (8) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (8) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, CertificateVerify" (8) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (8) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (8) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (8) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (8) TLS-Session-Version = "TLS 1.2" (8) Sent Access-Challenge Id 13 from 192.168.254.16:1812 to 192.168.254.20:53045 length 135 (8) Tunnel-Type := VLAN (8) Tunnel-Medium-Type := IEEE-802 (8) Tunnel-Private-Group-Id := "31" (8) EAP-Message = 0x017d003d0d80000000331403030001011603030028ee12266e2a461917d4ecf7ed98f52c73d4bce4e1d4ac642a6fc310ca22af78a6d42c66dcb40877ac (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) State = 0xa3577425ab2a79135063bdf3f7a6897e (8) Finished request Waking up in 4.7 seconds. (9) Received Access-Request Id 14 from 192.168.254.20:53045 to 192.168.254.16:1812 length 254 (9) User-Name = "F6PJ500VNTH0" (9) NAS-IP-Address = 192.168.254.20 (9) NAS-Identifier = "7a455839b642" (9) Called-Station-Id = "7A-45-58-39-B6-42:arendtsen-secure" (9) NAS-Port-Type = Wireless-802.11 (9) Service-Type = Framed-User (9) Calling-Station-Id = "64-0B-D7-DE-4A-44" (9) Connect-Info = "CONNECT 0Mbps 802.11a" (9) Acct-Session-Id = "A489808D693B5946" (9) Acct-Multi-Session-Id = "BCC853EF4F45EAD6" (9) WLAN-Pairwise-Cipher = 1027081 (9) WLAN-Group-Cipher = 1027081 (9) WLAN-AKM-Suite = 1027084 (9) WLAN-Group-Mgmt-Cipher = 1027084 (9) Framed-MTU = 1400 (9) EAP-Message = 0x027d00060d00 (9) State = 0xa3577425ab2a79135063bdf3f7a6897e (9) Message-Authenticator = 0x7a00b3eff59a6546077226c3c163c09b (9) Restoring &session-state (9) &session-state:Framed-MTU = 994 (9) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (9) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (9) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (9) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (9) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (9) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (9) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Certificate" (9) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (9) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, CertificateVerify" (9) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (9) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (9) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (9) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (9) &session-state:TLS-Session-Version = "TLS 1.2" (9) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (9) authorize { (9) policy filter_username { (9) if (&User-Name) { (9) if (&User-Name) -> TRUE (9) if (&User-Name) { (9) if (&User-Name =~ / /) { (9) if (&User-Name =~ / /) -> FALSE (9) if (&User-Name =~ /@[^@]*@/ ) { (9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (9) if (&User-Name =~ /\.\./ ) { (9) if (&User-Name =~ /\.\./ ) -> FALSE (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (9) if (&User-Name =~ /\.$/) { (9) if (&User-Name =~ /\.$/) -> FALSE (9) if (&User-Name =~ /@\./) { (9) if (&User-Name =~ /@\./) -> FALSE (9) } # if (&User-Name) = notfound (9) } # policy filter_username = notfound (9) [preprocess] = ok (9) suffix: Checking for suffix after "@" (9) suffix: No '@' in User-Name = "F6PJ500VNTH0", looking up realm NULL (9) suffix: No such realm "NULL" (9) [suffix] = noop (9) eap: Peer sent EAP Response (code 2) ID 125 length 6 (9) eap: No EAP Start, assuming it's an on-going EAP conversation (9) [eap] = updated (9) [files] = noop rlm_ldap (ldap): Reserved connection (5) (9) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (9) ldap: --> (uid=F6PJ500VNTH0) (9) ldap: Performing search in "dc=users,dc=arendtsen,dc=dk" with filter "(uid=F6PJ500VNTH0)", scope "sub" (9) ldap: Waiting for search result... (9) ldap: User object found at DN "uid=F6PJ500VNTH0,ou=ipad,ou=devices,dc=users,dc=arendtsen,dc=dk" (9) ldap: Processing user attributes (9) ldap: control:Password-With-Header += 'F6PJ500VNTH0' (9) ldap: reply:Tunnel-Type := VLAN (9) ldap: reply:Tunnel-Medium-Type := IEEE-802 (9) ldap: reply:Tunnel-Private-Group-ID := '31' rlm_ldap (ldap): Released connection (5) (9) [ldap] = updated (9) [expiration] = noop (9) [logintime] = noop (9) pap: No {...} in Password-With-Header, re-writing to Cleartext-Password (9) pap: Removing &control:Password-With-Header (9) pap: WARNING: Auth-Type already set. Not setting to PAP (9) [pap] = noop (9) } # authorize = updated (9) Found Auth-Type = eap (9) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (9) authenticate { (9) eap: Expiring EAP session with state 0xa3577425ab2a7913 (9) eap: Finished EAP session with state 0xa3577425ab2a7913 (9) eap: Previous EAP request found for state 0xa3577425ab2a7913, released from the list (9) eap: Peer sent packet with method EAP TLS (13) (9) eap: Calling submodule eap_tls to process data (9) eap_tls: (TLS) Peer ACKed our handshake fragment. handshake is finished (9) eap_tls: Validating certificate (9) Virtual server check-eap-tls-arendtsen received request (9) User-Name = "F6PJ500VNTH0" (9) NAS-IP-Address = 192.168.254.20 (9) NAS-Identifier = "7a455839b642" (9) Called-Station-Id = "7A-45-58-39-B6-42:arendtsen-secure" (9) NAS-Port-Type = Wireless-802.11 (9) Service-Type = Framed-User (9) Calling-Station-Id = "64-0B-D7-DE-4A-44" (9) Connect-Info = "CONNECT 0Mbps 802.11a" (9) Acct-Session-Id = "A489808D693B5946" (9) Acct-Multi-Session-Id = "BCC853EF4F45EAD6" (9) WLAN-Pairwise-Cipher = 1027081 (9) WLAN-Group-Cipher = 1027081 (9) WLAN-AKM-Suite = 1027084 (9) WLAN-Group-Mgmt-Cipher = 1027084 (9) Framed-MTU = 1400 (9) EAP-Message = 0x027d00060d00 (9) State = 0xa3577425ab2a79135063bdf3f7a6897e (9) Message-Authenticator = 0x7a00b3eff59a6546077226c3c163c09b (9) Event-Timestamp = "Aug 12 2023 12:59:15 CEST" (9) EAP-Type = TLS (9) TLS-Cert-Serial := "714cce994724fbab9c091bbe8d98c700e39a3efb" (9) TLS-Cert-Expiration := "261013191708Z" (9) TLS-Cert-Valid-Since := "211011191708Z" (9) TLS-Cert-Subject := "/C=DK/O=Arendtsen/CN=Arendtsen Devices Issusing CA 20211011" (9) TLS-Cert-Issuer := "/CN=Arendtsen Root CA 20210823" (9) TLS-Cert-Common-Name := "Arendtsen Devices Issusing CA 20211011" (9) TLS-Client-Cert-Serial := "6cff7e76695b0cf259f0" (9) TLS-Client-Cert-Expiration := "240731203959Z" (9) TLS-Client-Cert-Valid-Since := "230731203959Z" (9) TLS-Client-Cert-Subject := "/DC=dk/DC=arendtsen/DC=devices/OU=ipad/CN=F6PJ500VNTH0" (9) TLS-Client-Cert-Issuer := "/C=DK/O=Arendtsen/CN=Arendtsen Devices Issusing CA 20211011" (9) TLS-Client-Cert-Common-Name := "F6PJ500VNTH0" (9) TLS-Client-Cert-X509v3-Authority-Key-Identifier += "keyid:10:1C:A7:8C:D7:17:69:61:C6:0B:F3:8F:B2:D4:7E:EC:0D:11:82:27\n" (9) TLS-Client-Cert-X509v3-Basic-Constraints += "CA:FALSE" (9) TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication" (9) TLS-Client-Cert-X509v3-Certificate-Policies += "Policy: 1.2.3.4\n CPS: http://pki.arendtsen.dk/cps.html\n CPS: http://pki.arendtsen.dk/cps.html\n User Notice:\n Explicit Text: This is a comment for policy oid 1.2.3.4\n" (9) TLS-Client-Cert-X509v3-Subject-Key-Identifier += "81:17:16:D4:F4:AC:85:99:09:6C:53:F2:B6:F5:EE:76:E0:88:45:EA" (9) TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2" (9) WARNING: Outer and inner identities are the same. User privacy is compromised. (9) server check-eap-tls-arendtsen { (9) session-state: No cached attributes (9) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/check-eap-tls-arendtsen (9) authorize { (9) update config { (9) &Auth-Type := Accept (9) } # update config = noop (9) if (&User-Name == &TLS-Client-Cert-Common-Name) { (9) if (&User-Name == &TLS-Client-Cert-Common-Name) -> TRUE (9) if (&User-Name == &TLS-Client-Cert-Common-Name) { (9) update config { (9) &Auth-Type := Accept (9) } # update config = noop (9) } # if (&User-Name == &TLS-Client-Cert-Common-Name) = noop (9) ... skipping else: Preceding "if" was taken rlm_ldap (ldap): Reserved connection (0) (9) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (9) ldap: --> (uid=F6PJ500VNTH0) (9) ldap: Performing search in "dc=users,dc=arendtsen,dc=dk" with filter "(uid=F6PJ500VNTH0)", scope "sub" (9) ldap: Waiting for search result... (9) ldap: User object found at DN "uid=F6PJ500VNTH0,ou=ipad,ou=devices,dc=users,dc=arendtsen,dc=dk" (9) ldap: Processing user attributes (9) ldap: control:Password-With-Header += 'F6PJ500VNTH0' (9) ldap: reply:Tunnel-Type := VLAN (9) ldap: reply:Tunnel-Medium-Type := IEEE-802 (9) ldap: reply:Tunnel-Private-Group-ID := '31' rlm_ldap (ldap): Released connection (0) (9) [ldap] = updated (9) if (Ldap-Group == "radius-vlan-secure") { (9) Searching for user in group "radius-vlan-secure" rlm_ldap (ldap): Reserved connection (5) (9) Using user DN from request "uid=F6PJ500VNTH0,ou=ipad,ou=devices,dc=users,dc=arendtsen,dc=dk" (9) Checking for user in group objects (9) EXPAND (&(cn=radius-vlan-secure)(objectClass=posixGroup)(|(member=%{control:LDAP-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))) (9) --> (&(cn=radius-vlan-secure)(objectClass=posixGroup)(|(member=uid\3dF6PJ500VNTH0\2cou\3dipad\2cou\3ddevices\2cdc\3dusers\2cdc\3darendtsen\2cdc\3ddk)(memberUid=F6PJ500VNTH0))) (9) Performing search in "dc=groups,dc=arendtsen,dc=dk" with filter "(&(cn=radius-vlan-secure)(objectClass=posixGroup)(|(member=uid\3dF6PJ500VNTH0\2cou\3dipad\2cou\3ddevices\2cdc\3dusers\2cdc\3darendtsen\2cdc\3ddk)(memberUid=F6PJ500VNTH0)))", scope "sub" (9) Waiting for search result... (9) User found in group object "cn=radius-vlan-secure,ou=profiles,ou=network,dc=groups,dc=arendtsen,dc=dk" rlm_ldap (ldap): Released connection (5) (9) if (Ldap-Group == "radius-vlan-secure") -> TRUE (9) if (Ldap-Group == "radius-vlan-secure") { (9) update config { (9) &Auth-Type := Accept (9) } # update config = noop (9) } # if (Ldap-Group == "radius-vlan-secure") = noop (9) [files] = noop (9) auth_log: EXPAND /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (9) auth_log: --> /var/log/radacct/192.168.254.20/auth-detail-20230812 (9) auth_log: /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radacct/192.168.254.20/auth-detail-20230812 (9) auth_log: EXPAND %t (9) auth_log: --> Sat Aug 12 12:59:15 2023 (9) [auth_log] = ok (9) } # authorize = updated (9) Found Auth-Type = Accept (9) Auth-Type = Accept, accepting the user (9) } # server check-eap-tls-arendtsen (9) Virtual server sending reply (9) Tunnel-Type := VLAN (9) Tunnel-Medium-Type := IEEE-802 (9) Tunnel-Private-Group-Id := "31" (9) eap: Sending EAP Success (code 3) ID 125 length 4 (9) eap: Freeing handler (9) [eap] = ok (9) } # authenticate = ok (9) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default (9) post-auth { (9) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { (9) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE (9) update { (9) &reply::Framed-MTU += &session-state:Framed-MTU[*] -> 994 (9) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.3 Handshake, ClientHello' (9) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, ServerHello' (9) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, Certificate' (9) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, ServerKeyExchange' (9) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, CertificateRequest' (9) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, ServerHelloDone' (9) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.2 Handshake, Certificate' (9) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.2 Handshake, ClientKeyExchange' (9) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.2 Handshake, CertificateVerify' (9) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.2 Handshake, Finished' (9) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 ChangeCipherSpec' (9) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, Finished' (9) &reply::TLS-Session-Cipher-Suite += &session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES256-GCM-SHA384' (9) &reply::TLS-Session-Version += &session-state:TLS-Session-Version[*] -> 'TLS 1.2' (9) } # update = noop (9) [exec] = noop (9) policy remove_reply_message_if_eap { (9) if (&reply:EAP-Message && &reply:Reply-Message) { (9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (9) else { (9) [noop] = noop (9) } # else = noop (9) } # policy remove_reply_message_if_eap = noop (9) if (EAP-Key-Name && &reply:EAP-Session-Id) { (9) if (EAP-Key-Name && &reply:EAP-Session-Id) -> FALSE (9) } # post-auth = noop (9) Sent Access-Accept Id 14 from 192.168.254.16:1812 to 192.168.254.20:53045 length 212 (9) Tunnel-Type := VLAN (9) Tunnel-Medium-Type := IEEE-802 (9) Tunnel-Private-Group-Id := "31" (9) Tunnel-Type := VLAN (9) Tunnel-Medium-Type := IEEE-802 (9) Tunnel-Private-Group-Id := "31" (9) MS-MPPE-Recv-Key = 0x5fd42911c98e0ea3510a57d86c62e780859a92234e8bbf2fca6c8a0d87ef38c2 (9) MS-MPPE-Send-Key = 0xda157c345bacdb84e10dc53ad781492af3563b7ec6aeceddf3363a944d1c446d (9) EAP-Message = 0x037d0004 (9) Message-Authenticator = 0x00000000000000000000000000000000 (9) User-Name = "F6PJ500VNTH0" (9) Framed-MTU += 994 (9) Finished request Waking up in 4.7 seconds. (0) Cleaning up request packet ID 5 with timestamp +276 due to cleanup_delay was reached (1) Cleaning up request packet ID 6 with timestamp +276 due to cleanup_delay was reached (2) Cleaning up request packet ID 7 with timestamp +276 due to cleanup_delay was reached (3) Cleaning up request packet ID 8 with timestamp +276 due to cleanup_delay was reached (4) Cleaning up request packet ID 9 with timestamp +276 due to cleanup_delay was reached (5) Cleaning up request packet ID 10 with timestamp +276 due to cleanup_delay was reached (6) Cleaning up request packet ID 11 with timestamp +276 due to cleanup_delay was reached (7) Cleaning up request packet ID 12 with timestamp +276 due to cleanup_delay was reached (8) Cleaning up request packet ID 13 with timestamp +276 due to cleanup_delay was reached (9) Cleaning up request packet ID 14 with timestamp +276 due to cleanup_delay was reached Ready to process requests