(30) Received Access-Request Id 35 from 192.168.254.20:53045 to 192.168.254.16:1812 length 253 (30) User-Name = "F6PJ500VNTH0" (30) NAS-IP-Address = 192.168.254.20 (30) Framed-IP-Address = 192.168.254.49 (30) NAS-Identifier = "7a455839b642" (30) Called-Station-Id = "7A-45-58-39-B6-42:arendtsen-secure" (30) NAS-Port-Type = Wireless-802.11 (30) Service-Type = Framed-User (30) Calling-Station-Id = "64-0B-D7-DE-4A-44" (30) Connect-Info = "CONNECT 0Mbps 802.11a" (30) Acct-Session-Id = "017A2B97AB5E2AC9" (30) Acct-Multi-Session-Id = "45CDEC38FA7D45EA" (30) WLAN-Pairwise-Cipher = 1027081 (30) WLAN-Group-Cipher = 1027081 (30) WLAN-AKM-Suite = 1027084 (30) WLAN-Group-Mgmt-Cipher = 1027084 (30) Framed-MTU = 1400 (30) EAP-Message = 0x022f0011014636504a353030564e544830 (30) Message-Authenticator = 0xde2e0b6aa208608c28c007919bebb8e6 (30) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (30) authorize { (30) policy filter_username { (30) if (&User-Name) { (30) if (&User-Name) -> TRUE (30) if (&User-Name) { (30) if (&User-Name =~ / /) { (30) if (&User-Name =~ / /) -> FALSE (30) if (&User-Name =~ /@[^@]*@/ ) { (30) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (30) if (&User-Name =~ /\.\./ ) { (30) if (&User-Name =~ /\.\./ ) -> FALSE (30) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (30) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (30) if (&User-Name =~ /\.$/) { (30) if (&User-Name =~ /\.$/) -> FALSE (30) if (&User-Name =~ /@\./) { (30) if (&User-Name =~ /@\./) -> FALSE (30) } # if (&User-Name) = notfound (30) } # policy filter_username = notfound (30) [preprocess] = ok (30) suffix: Checking for suffix after "@" (30) suffix: No '@' in User-Name = "F6PJ500VNTH0", looking up realm NULL (30) suffix: No such realm "NULL" (30) [suffix] = noop (30) eap: Peer sent EAP Response (code 2) ID 47 length 17 (30) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (30) [eap] = ok (30) } # authorize = ok (30) Found Auth-Type = eap (30) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (30) authenticate { (30) eap: Peer sent packet with method EAP Identity (1) (30) eap: Calling submodule eap_peap to process data (30) eap_peap: (TLS) Initiating new session (30) eap: Sending EAP Request (code 1) ID 48 length 6 (30) eap: EAP session adding &reply:State = 0x1dc655fe1df64cf5 (30) [eap] = handled (30) } # authenticate = handled (30) Using Post-Auth-Type Challenge (30) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (30) Challenge { ... } # empty sub-section is ignored (30) session-state: Saving cached attributes (30) Framed-MTU = 994 (30) Sent Access-Challenge Id 35 from 192.168.254.16:1812 to 192.168.254.20:53045 length 64 (30) EAP-Message = 0x013000061920 (30) Message-Authenticator = 0x00000000000000000000000000000000 (30) State = 0x1dc655fe1df64cf502bac633d68cc8fc (30) Finished request Waking up in 4.9 seconds. (31) Received Access-Request Id 36 from 192.168.254.20:53045 to 192.168.254.16:1812 length 260 (31) User-Name = "F6PJ500VNTH0" (31) NAS-IP-Address = 192.168.254.20 (31) Framed-IP-Address = 192.168.254.49 (31) NAS-Identifier = "7a455839b642" (31) Called-Station-Id = "7A-45-58-39-B6-42:arendtsen-secure" (31) NAS-Port-Type = Wireless-802.11 (31) Service-Type = Framed-User (31) Calling-Station-Id = "64-0B-D7-DE-4A-44" (31) Connect-Info = "CONNECT 0Mbps 802.11a" (31) Acct-Session-Id = "017A2B97AB5E2AC9" (31) Acct-Multi-Session-Id = "45CDEC38FA7D45EA" (31) WLAN-Pairwise-Cipher = 1027081 (31) WLAN-Group-Cipher = 1027081 (31) WLAN-AKM-Suite = 1027084 (31) WLAN-Group-Mgmt-Cipher = 1027084 (31) Framed-MTU = 1400 (31) EAP-Message = 0x02300006030d (31) State = 0x1dc655fe1df64cf502bac633d68cc8fc (31) Message-Authenticator = 0x60b7938e892943406b143146abc54994 (31) Restoring &session-state (31) &session-state:Framed-MTU = 994 (31) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (31) authorize { (31) policy filter_username { (31) if (&User-Name) { (31) if (&User-Name) -> TRUE (31) if (&User-Name) { (31) if (&User-Name =~ / /) { (31) if (&User-Name =~ / /) -> FALSE (31) if (&User-Name =~ /@[^@]*@/ ) { (31) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (31) if (&User-Name =~ /\.\./ ) { (31) if (&User-Name =~ /\.\./ ) -> FALSE (31) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (31) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (31) if (&User-Name =~ /\.$/) { (31) if (&User-Name =~ /\.$/) -> FALSE (31) if (&User-Name =~ /@\./) { (31) if (&User-Name =~ /@\./) -> FALSE (31) } # if (&User-Name) = notfound (31) } # policy filter_username = notfound (31) [preprocess] = ok (31) suffix: Checking for suffix after "@" (31) suffix: No '@' in User-Name = "F6PJ500VNTH0", looking up realm NULL (31) suffix: No such realm "NULL" (31) [suffix] = noop (31) eap: Peer sent EAP Response (code 2) ID 48 length 6 (31) eap: No EAP Start, assuming it's an on-going EAP conversation (31) [eap] = updated (31) [files] = noop rlm_ldap (ldap): Reserved connection (7) (31) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (31) ldap: --> (uid=F6PJ500VNTH0) (31) ldap: Performing search in "dc=users,dc=arendtsen,dc=dk" with filter "(uid=F6PJ500VNTH0)", scope "sub" (31) ldap: Waiting for search result... (31) ldap: User object found at DN "uid=F6PJ500VNTH0,ou=ipad,ou=devices,dc=users,dc=arendtsen,dc=dk" (31) ldap: Processing user attributes (31) ldap: control:Password-With-Header += 'F6PJ500VNTH0' rlm_ldap (ldap): Released connection (7) Need 1 more connections to reach min connections (3) Need more connections to reach 10 spares rlm_ldap (ldap): Opening additional connection (8), 1 of 30 pending slots used rlm_ldap (ldap): Connecting to ldap://localhost:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): Closing expired connection (0) - Hit idle_timeout limit (31) [ldap] = updated (31) [expiration] = noop (31) [logintime] = noop (31) pap: No {...} in Password-With-Header, re-writing to Cleartext-Password (31) pap: Removing &control:Password-With-Header (31) pap: WARNING: Auth-Type already set. Not setting to PAP (31) [pap] = noop (31) } # authorize = updated (31) Found Auth-Type = eap (31) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (31) authenticate { (31) eap: Expiring EAP session with state 0x1dc655fe1df64cf5 (31) eap: Finished EAP session with state 0x1dc655fe1df64cf5 (31) eap: Previous EAP request found for state 0x1dc655fe1df64cf5, released from the list (31) eap: Peer sent packet with method EAP NAK (3) (31) eap: Found mutually acceptable type TLS (13) (31) eap: Calling submodule eap_tls to process data (31) eap_tls: (TLS) Initiating new session (31) eap_tls: (TLS) Setting verify mode to require certificate from client (31) eap: Sending EAP Request (code 1) ID 49 length 6 (31) eap: EAP session adding &reply:State = 0x1dc655fe1cf758f5 (31) [eap] = handled (31) } # authenticate = handled (31) Using Post-Auth-Type Challenge (31) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (31) Challenge { ... } # empty sub-section is ignored (31) session-state: Saving cached attributes (31) Framed-MTU = 994 (31) Sent Access-Challenge Id 36 from 192.168.254.16:1812 to 192.168.254.20:53045 length 64 (31) EAP-Message = 0x013100060d20 (31) Message-Authenticator = 0x00000000000000000000000000000000 (31) State = 0x1dc655fe1cf758f502bac633d68cc8fc (31) Finished request Waking up in 4.9 seconds. (32) Received Access-Request Id 37 from 192.168.254.20:53045 to 192.168.254.16:1812 length 418 (32) User-Name = "F6PJ500VNTH0" (32) NAS-IP-Address = 192.168.254.20 (32) Framed-IP-Address = 192.168.254.49 (32) NAS-Identifier = "7a455839b642" (32) Called-Station-Id = "7A-45-58-39-B6-42:arendtsen-secure" (32) NAS-Port-Type = Wireless-802.11 (32) Service-Type = Framed-User (32) Calling-Station-Id = "64-0B-D7-DE-4A-44" (32) Connect-Info = "CONNECT 0Mbps 802.11a" (32) Acct-Session-Id = "017A2B97AB5E2AC9" (32) Acct-Multi-Session-Id = "45CDEC38FA7D45EA" (32) WLAN-Pairwise-Cipher = 1027081 (32) WLAN-Group-Cipher = 1027081 (32) WLAN-AKM-Suite = 1027084 (32) WLAN-Group-Mgmt-Cipher = 1027084 (32) Framed-MTU = 1400 (32) EAP-Message = 0x023100a40d800000009a160301009501000091030343ed3db7cbef208c9dc18bba6225407f27fd477264633c568eec05573bd082d0000022c02cc02bcca9c030c02fcca8c00ac009c014c013009d009c0035002fc008c012000a0100004600170000ff01000100000a000a0008001d001700180019000b00020100000500050100000000000d001800160403080404010503020308050805050108060601020100120000 (32) State = 0x1dc655fe1cf758f502bac633d68cc8fc (32) Message-Authenticator = 0x900327cefa6c67f28f80254cd4ea8a6c (32) Restoring &session-state (32) &session-state:Framed-MTU = 994 (32) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (32) authorize { (32) policy filter_username { (32) if (&User-Name) { (32) if (&User-Name) -> TRUE (32) if (&User-Name) { (32) if (&User-Name =~ / /) { (32) if (&User-Name =~ / /) -> FALSE (32) if (&User-Name =~ /@[^@]*@/ ) { (32) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (32) if (&User-Name =~ /\.\./ ) { (32) if (&User-Name =~ /\.\./ ) -> FALSE (32) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (32) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (32) if (&User-Name =~ /\.$/) { (32) if (&User-Name =~ /\.$/) -> FALSE (32) if (&User-Name =~ /@\./) { (32) if (&User-Name =~ /@\./) -> FALSE (32) } # if (&User-Name) = notfound (32) } # policy filter_username = notfound (32) [preprocess] = ok (32) suffix: Checking for suffix after "@" (32) suffix: No '@' in User-Name = "F6PJ500VNTH0", looking up realm NULL (32) suffix: No such realm "NULL" (32) [suffix] = noop (32) eap: Peer sent EAP Response (code 2) ID 49 length 164 (32) eap: No EAP Start, assuming it's an on-going EAP conversation (32) [eap] = updated (32) [files] = noop rlm_ldap (ldap): Reserved connection (7) (32) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (32) ldap: --> (uid=F6PJ500VNTH0) (32) ldap: Performing search in "dc=users,dc=arendtsen,dc=dk" with filter "(uid=F6PJ500VNTH0)", scope "sub" (32) ldap: Waiting for search result... (32) ldap: User object found at DN "uid=F6PJ500VNTH0,ou=ipad,ou=devices,dc=users,dc=arendtsen,dc=dk" (32) ldap: Processing user attributes (32) ldap: control:Password-With-Header += 'F6PJ500VNTH0' rlm_ldap (ldap): Released connection (7) (32) [ldap] = updated (32) [expiration] = noop (32) [logintime] = noop (32) pap: No {...} in Password-With-Header, re-writing to Cleartext-Password (32) pap: Removing &control:Password-With-Header (32) pap: WARNING: Auth-Type already set. Not setting to PAP (32) [pap] = noop (32) } # authorize = updated (32) Found Auth-Type = eap (32) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (32) authenticate { (32) eap: Expiring EAP session with state 0x1dc655fe1cf758f5 (32) eap: Finished EAP session with state 0x1dc655fe1cf758f5 (32) eap: Previous EAP request found for state 0x1dc655fe1cf758f5, released from the list (32) eap: Peer sent packet with method EAP TLS (13) (32) eap: Calling submodule eap_tls to process data (32) eap_tls: (TLS) EAP Peer says that the final record size will be 154 bytes (32) eap_tls: (TLS) EAP Got all data (154 bytes) (32) eap_tls: (TLS) Handshake state - before SSL initialization (32) eap_tls: (TLS) Handshake state - Server before SSL initialization (32) eap_tls: (TLS) Handshake state - Server before SSL initialization (32) eap_tls: (TLS) recv TLS 1.3 Handshake, ClientHello (32) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read client hello (32) eap_tls: (TLS) send TLS 1.2 Handshake, ServerHello (32) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write server hello (32) eap_tls: (TLS) send TLS 1.2 Handshake, Certificate (32) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write certificate (32) eap_tls: (TLS) send TLS 1.2 Handshake, ServerKeyExchange (32) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write key exchange (32) eap_tls: (TLS) send TLS 1.2 Handshake, CertificateRequest (32) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write certificate request (32) eap_tls: (TLS) send TLS 1.2 Handshake, ServerHelloDone (32) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write server done (32) eap_tls: (TLS) Server : Need to read more data: SSLv3/TLS write server done (32) eap_tls: (TLS) In Handshake Phase (32) eap: Sending EAP Request (code 1) ID 50 length 1004 (32) eap: EAP session adding &reply:State = 0x1dc655fe1ff458f5 (32) [eap] = handled (32) } # authenticate = handled (32) Using Post-Auth-Type Challenge (32) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (32) Challenge { ... } # empty sub-section is ignored (32) session-state: Saving cached attributes (32) Framed-MTU = 994 (32) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (32) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (32) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (32) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (32) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (32) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (32) Sent Access-Challenge Id 37 from 192.168.254.16:1812 to 192.168.254.20:53045 length 1068 (32) EAP-Message = 0x013203ec0dc00000098f160303003d020000390303b275bef1f2d9c2c58a738bb2c33d906d3e75cda35a4879046536201731d2372e00c030000011ff01000100000b0004030001020017000016030307050b0007010006fe0006fb308206f73082055fa003020102020a4fff11373021e4b7f7d0300d06092a864886f70d01010b05003052310b300906035504061302444b31123010060355040a0c094172656e647473656e312f302d06035504030c264172656e647473656e2053657276657273204973737573696e67204341203230323131303130301e170d3233303732323232313430335a170d3234303132323232313430335a306a31123010060a0992268993f22c6401191602646b31193017060a0992268993f22c64011916096172656e647473656e31123010060a0992268993f22c640119160263613125302306035504030c1c6175746830322e696e7465726e616c2e6172656e647473656e2e646b308201a2300d06092a864886f70d010101050003 (32) Message-Authenticator = 0x00000000000000000000000000000000 (32) State = 0x1dc655fe1ff458f502bac633d68cc8fc (32) Finished request Waking up in 4.9 seconds. (33) Received Access-Request Id 38 from 192.168.254.20:53045 to 192.168.254.16:1812 length 260 (33) User-Name = "F6PJ500VNTH0" (33) NAS-IP-Address = 192.168.254.20 (33) Framed-IP-Address = 192.168.254.49 (33) NAS-Identifier = "7a455839b642" (33) Called-Station-Id = "7A-45-58-39-B6-42:arendtsen-secure" (33) NAS-Port-Type = Wireless-802.11 (33) Service-Type = Framed-User (33) Calling-Station-Id = "64-0B-D7-DE-4A-44" (33) Connect-Info = "CONNECT 0Mbps 802.11a" (33) Acct-Session-Id = "017A2B97AB5E2AC9" (33) Acct-Multi-Session-Id = "45CDEC38FA7D45EA" (33) WLAN-Pairwise-Cipher = 1027081 (33) WLAN-Group-Cipher = 1027081 (33) WLAN-AKM-Suite = 1027084 (33) WLAN-Group-Mgmt-Cipher = 1027084 (33) Framed-MTU = 1400 (33) EAP-Message = 0x023200060d00 (33) State = 0x1dc655fe1ff458f502bac633d68cc8fc (33) Message-Authenticator = 0x5541bc0b12b731a12c2766f295d4e7fa (33) Restoring &session-state (33) &session-state:Framed-MTU = 994 (33) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (33) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (33) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (33) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (33) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (33) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (33) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (33) authorize { (33) policy filter_username { (33) if (&User-Name) { (33) if (&User-Name) -> TRUE (33) if (&User-Name) { (33) if (&User-Name =~ / /) { (33) if (&User-Name =~ / /) -> FALSE (33) if (&User-Name =~ /@[^@]*@/ ) { (33) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (33) if (&User-Name =~ /\.\./ ) { (33) if (&User-Name =~ /\.\./ ) -> FALSE (33) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (33) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (33) if (&User-Name =~ /\.$/) { (33) if (&User-Name =~ /\.$/) -> FALSE (33) if (&User-Name =~ /@\./) { (33) if (&User-Name =~ /@\./) -> FALSE (33) } # if (&User-Name) = notfound (33) } # policy filter_username = notfound (33) [preprocess] = ok (33) suffix: Checking for suffix after "@" (33) suffix: No '@' in User-Name = "F6PJ500VNTH0", looking up realm NULL (33) suffix: No such realm "NULL" (33) [suffix] = noop (33) eap: Peer sent EAP Response (code 2) ID 50 length 6 (33) eap: No EAP Start, assuming it's an on-going EAP conversation (33) [eap] = updated (33) [files] = noop rlm_ldap (ldap): Reserved connection (8) (33) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (33) ldap: --> (uid=F6PJ500VNTH0) (33) ldap: Performing search in "dc=users,dc=arendtsen,dc=dk" with filter "(uid=F6PJ500VNTH0)", scope "sub" (33) ldap: Waiting for search result... (33) ldap: User object found at DN "uid=F6PJ500VNTH0,ou=ipad,ou=devices,dc=users,dc=arendtsen,dc=dk" (33) ldap: Processing user attributes (33) ldap: control:Password-With-Header += 'F6PJ500VNTH0' rlm_ldap (ldap): Released connection (8) (33) [ldap] = updated (33) [expiration] = noop (33) [logintime] = noop (33) pap: No {...} in Password-With-Header, re-writing to Cleartext-Password (33) pap: Removing &control:Password-With-Header (33) pap: WARNING: Auth-Type already set. Not setting to PAP (33) [pap] = noop (33) } # authorize = updated (33) Found Auth-Type = eap (33) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (33) authenticate { (33) eap: Expiring EAP session with state 0x1dc655fe1ff458f5 (33) eap: Finished EAP session with state 0x1dc655fe1ff458f5 (33) eap: Previous EAP request found for state 0x1dc655fe1ff458f5, released from the list (33) eap: Peer sent packet with method EAP TLS (13) (33) eap: Calling submodule eap_tls to process data (33) eap_tls: (TLS) Peer ACKed our handshake fragment (33) eap: Sending EAP Request (code 1) ID 51 length 1004 (33) eap: EAP session adding &reply:State = 0x1dc655fe1ef558f5 (33) [eap] = handled (33) } # authenticate = handled (33) Using Post-Auth-Type Challenge (33) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (33) Challenge { ... } # empty sub-section is ignored (33) session-state: Saving cached attributes (33) Framed-MTU = 994 (33) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (33) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (33) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (33) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (33) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (33) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (33) Sent Access-Challenge Id 38 from 192.168.254.16:1812 to 192.168.254.20:53045 length 1068 (33) EAP-Message = 0x013303ec0dc00000098f2f706b692e6172656e647473656e2e646b2f646f776e6c6f61642f4172656e647473656e5f536572766572735f4973737573696e675f43415f32303231313031302e63726c30130603551d25040c300a06082b06010505070301300e0603551d0f0101ff0404030203a83081aa0603551d200481a230819f30819c06032a0304308194302c06082b060105050702011620687474703a2f2f706b692e6172656e647473656e2e646b2f6370732e68746d6c302c06082b060105050702011620687474703a2f2f706b692e6172656e647473656e2e646b2f6370732e68746d6c303606082b06010505070202302a1a2854686973206973206120636f6d6d656e7420666f7220706f6c696379206f696420312e322e332e3430819d0603551d11048195308192821a617574682e696e7465726e616c2e6172656e647473656e2e646b821c6175746830322e696e7465726e616c2e6172656e647473656e2e646b821c6c64617030322e696e746572 (33) Message-Authenticator = 0x00000000000000000000000000000000 (33) State = 0x1dc655fe1ef558f502bac633d68cc8fc (33) Finished request Waking up in 4.9 seconds. (34) Received Access-Request Id 39 from 192.168.254.20:53045 to 192.168.254.16:1812 length 260 (34) User-Name = "F6PJ500VNTH0" (34) NAS-IP-Address = 192.168.254.20 (34) Framed-IP-Address = 192.168.254.49 (34) NAS-Identifier = "7a455839b642" (34) Called-Station-Id = "7A-45-58-39-B6-42:arendtsen-secure" (34) NAS-Port-Type = Wireless-802.11 (34) Service-Type = Framed-User (34) Calling-Station-Id = "64-0B-D7-DE-4A-44" (34) Connect-Info = "CONNECT 0Mbps 802.11a" (34) Acct-Session-Id = "017A2B97AB5E2AC9" (34) Acct-Multi-Session-Id = "45CDEC38FA7D45EA" (34) WLAN-Pairwise-Cipher = 1027081 (34) WLAN-Group-Cipher = 1027081 (34) WLAN-AKM-Suite = 1027084 (34) WLAN-Group-Mgmt-Cipher = 1027084 (34) Framed-MTU = 1400 (34) EAP-Message = 0x023300060d00 (34) State = 0x1dc655fe1ef558f502bac633d68cc8fc (34) Message-Authenticator = 0x0bebe790c47f939e8bd2c26c1b160c1d (34) Restoring &session-state (34) &session-state:Framed-MTU = 994 (34) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (34) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (34) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (34) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (34) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (34) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (34) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (34) authorize { (34) policy filter_username { (34) if (&User-Name) { (34) if (&User-Name) -> TRUE (34) if (&User-Name) { (34) if (&User-Name =~ / /) { (34) if (&User-Name =~ / /) -> FALSE (34) if (&User-Name =~ /@[^@]*@/ ) { (34) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (34) if (&User-Name =~ /\.\./ ) { (34) if (&User-Name =~ /\.\./ ) -> FALSE (34) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (34) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (34) if (&User-Name =~ /\.$/) { (34) if (&User-Name =~ /\.$/) -> FALSE (34) if (&User-Name =~ /@\./) { (34) if (&User-Name =~ /@\./) -> FALSE (34) } # if (&User-Name) = notfound (34) } # policy filter_username = notfound (34) [preprocess] = ok (34) suffix: Checking for suffix after "@" (34) suffix: No '@' in User-Name = "F6PJ500VNTH0", looking up realm NULL (34) suffix: No such realm "NULL" (34) [suffix] = noop (34) eap: Peer sent EAP Response (code 2) ID 51 length 6 (34) eap: No EAP Start, assuming it's an on-going EAP conversation (34) [eap] = updated (34) [files] = noop rlm_ldap (ldap): Reserved connection (7) (34) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (34) ldap: --> (uid=F6PJ500VNTH0) (34) ldap: Performing search in "dc=users,dc=arendtsen,dc=dk" with filter "(uid=F6PJ500VNTH0)", scope "sub" (34) ldap: Waiting for search result... (34) ldap: User object found at DN "uid=F6PJ500VNTH0,ou=ipad,ou=devices,dc=users,dc=arendtsen,dc=dk" (34) ldap: Processing user attributes (34) ldap: control:Password-With-Header += 'F6PJ500VNTH0' rlm_ldap (ldap): Released connection (7) (34) [ldap] = updated (34) [expiration] = noop (34) [logintime] = noop (34) pap: No {...} in Password-With-Header, re-writing to Cleartext-Password (34) pap: Removing &control:Password-With-Header (34) pap: WARNING: Auth-Type already set. Not setting to PAP (34) [pap] = noop (34) } # authorize = updated (34) Found Auth-Type = eap (34) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (34) authenticate { (34) eap: Expiring EAP session with state 0x1dc655fe1ef558f5 (34) eap: Finished EAP session with state 0x1dc655fe1ef558f5 (34) eap: Previous EAP request found for state 0x1dc655fe1ef558f5, released from the list (34) eap: Peer sent packet with method EAP TLS (13) (34) eap: Calling submodule eap_tls to process data (34) eap_tls: (TLS) Peer ACKed our handshake fragment (34) eap: Sending EAP Request (code 1) ID 52 length 469 (34) eap: EAP session adding &reply:State = 0x1dc655fe19f258f5 (34) [eap] = handled (34) } # authenticate = handled (34) Using Post-Auth-Type Challenge (34) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (34) Challenge { ... } # empty sub-section is ignored (34) session-state: Saving cached attributes (34) Framed-MTU = 994 (34) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (34) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (34) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (34) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (34) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (34) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (34) Sent Access-Challenge Id 39 from 192.168.254.16:1812 to 192.168.254.20:53045 length 529 (34) EAP-Message = 0x013401d50d800000098f1c3bf7f70b72b1e5dc7be0d5d8ce28cf1005bec299ab355f0d26511bf9f84b29f45327ba301aa9361ce752fef85f293f4410400ebbd3aa116468b892e768e68450e2ba57c1dedd9eb58d30e31e0e603e011917e4da30ed9f25fcd3136c0e4d4aa1b12de577682914b024b3a39cad4d45bcde48cd6ac0915c449fedb542c072f61b96d1ba1ed5067f66aca7a65d0542d0f5fe09000416103daa0b562c8aa4c3846d916e52489c22c0bc442fc1c353bd45741dad5f25b1385db6f8aa7cac9038deca134537bb64bfd982c8f542a6d9f8ec1c7b25a56195c4f69eb0a4fa87ff9d876ed245d2c1a7af79aed3fc708dff30f47fa8b0aa138e9220cd73a780a2e0eb7ea6a2976e8c6b23210c1d2165be064e1766565c702c25490e0c2cd02f062a31ea3c4b289968e93c07a939d19ac4c041b4522e643b0e5e292d03b2e050cedd33bfa13ba328531faf6c1e20d342a2bb91ab76fa6c2571b287c8f2fd16030300630d00005f03010240002e04030503 (34) Message-Authenticator = 0x00000000000000000000000000000000 (34) State = 0x1dc655fe19f258f502bac633d68cc8fc (34) Finished request Waking up in 4.9 seconds. (35) Received Access-Request Id 40 from 192.168.254.20:53045 to 192.168.254.16:1812 length 1540 (35) User-Name = "F6PJ500VNTH0" (35) NAS-IP-Address = 192.168.254.20 (35) Framed-IP-Address = 192.168.254.49 (35) NAS-Identifier = "7a455839b642" (35) Called-Station-Id = "7A-45-58-39-B6-42:arendtsen-secure" (35) NAS-Port-Type = Wireless-802.11 (35) Service-Type = Framed-User (35) Calling-Station-Id = "64-0B-D7-DE-4A-44" (35) Connect-Info = "CONNECT 0Mbps 802.11a" (35) Acct-Session-Id = "017A2B97AB5E2AC9" (35) Acct-Multi-Session-Id = "45CDEC38FA7D45EA" (35) WLAN-Pairwise-Cipher = 1027081 (35) WLAN-Group-Cipher = 1027081 (35) WLAN-AKM-Suite = 1027084 (35) WLAN-Group-Mgmt-Cipher = 1027084 (35) Framed-MTU = 1400 (35) EAP-Message = 0x023404fc0dc0000010671603030ed70b000ed3000ed00005df308205db30820443a003020102020a6cff7e76695b0cf259f0300d06092a864886f70d01010b05003052310b300906035504061302444b31123010060355040a0c094172656e647473656e312f302d06035504030c264172656e647473656e2044657669636573204973737573696e67204341203230323131303131301e170d3233303733313230333935395a170d3234303733313230333935395a306e31123010060a0992268993f22c6401191602646b31193017060a0992268993f22c64011916096172656e647473656e31173015060a0992268993f22c640119160764657669636573310d300b060355040b0c04697061643115301306035504030c0c4636504a353030564e54483030820122300d06092a864886f70d01010105000382010f003082010a0282010100ceb81cc2e73b30d8bebd5867d25e931f1522b3f4c1776622728fc42c6aa60366a2ceeabab822105dbbe9cf282fdb2a1543 (35) State = 0x1dc655fe19f258f502bac633d68cc8fc (35) Message-Authenticator = 0x95e05dab0e764eeac3744418a646132d (35) Restoring &session-state (35) &session-state:Framed-MTU = 994 (35) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (35) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (35) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (35) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (35) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (35) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (35) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (35) authorize { (35) policy filter_username { (35) if (&User-Name) { (35) if (&User-Name) -> TRUE (35) if (&User-Name) { (35) if (&User-Name =~ / /) { (35) if (&User-Name =~ / /) -> FALSE (35) if (&User-Name =~ /@[^@]*@/ ) { (35) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (35) if (&User-Name =~ /\.\./ ) { (35) if (&User-Name =~ /\.\./ ) -> FALSE (35) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (35) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (35) if (&User-Name =~ /\.$/) { (35) if (&User-Name =~ /\.$/) -> FALSE (35) if (&User-Name =~ /@\./) { (35) if (&User-Name =~ /@\./) -> FALSE (35) } # if (&User-Name) = notfound (35) } # policy filter_username = notfound (35) [preprocess] = ok (35) suffix: Checking for suffix after "@" (35) suffix: No '@' in User-Name = "F6PJ500VNTH0", looking up realm NULL (35) suffix: No such realm "NULL" (35) [suffix] = noop (35) eap: Peer sent EAP Response (code 2) ID 52 length 1276 (35) eap: No EAP Start, assuming it's an on-going EAP conversation (35) [eap] = updated (35) [files] = noop rlm_ldap (ldap): Reserved connection (8) (35) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (35) ldap: --> (uid=F6PJ500VNTH0) (35) ldap: Performing search in "dc=users,dc=arendtsen,dc=dk" with filter "(uid=F6PJ500VNTH0)", scope "sub" (35) ldap: Waiting for search result... (35) ldap: User object found at DN "uid=F6PJ500VNTH0,ou=ipad,ou=devices,dc=users,dc=arendtsen,dc=dk" (35) ldap: Processing user attributes (35) ldap: control:Password-With-Header += 'F6PJ500VNTH0' rlm_ldap (ldap): Released connection (8) (35) [ldap] = updated (35) [expiration] = noop (35) [logintime] = noop (35) pap: No {...} in Password-With-Header, re-writing to Cleartext-Password (35) pap: Removing &control:Password-With-Header (35) pap: WARNING: Auth-Type already set. Not setting to PAP (35) [pap] = noop (35) } # authorize = updated (35) Found Auth-Type = eap (35) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (35) authenticate { (35) eap: Expiring EAP session with state 0x1dc655fe19f258f5 (35) eap: Finished EAP session with state 0x1dc655fe19f258f5 (35) eap: Previous EAP request found for state 0x1dc655fe19f258f5, released from the list (35) eap: Peer sent packet with method EAP TLS (13) (35) eap: Calling submodule eap_tls to process data (35) eap_tls: (TLS) EAP Peer says that the final record size will be 4199 bytes (35) eap_tls: (TLS) EAP Expecting 4 fragments (35) eap_tls: (TLS) EAP Got first TLS fragment (1266 bytes). Peer says more fragments will follow (35) eap_tls: (TLS) EAP ACKing fragment, the peer should send more data. (35) eap: Sending EAP Request (code 1) ID 53 length 6 (35) eap: EAP session adding &reply:State = 0x1dc655fe18f358f5 (35) [eap] = handled (35) } # authenticate = handled (35) Using Post-Auth-Type Challenge (35) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (35) Challenge { ... } # empty sub-section is ignored (35) session-state: Saving cached attributes (35) Framed-MTU = 994 (35) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (35) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (35) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (35) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (35) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (35) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (35) Sent Access-Challenge Id 40 from 192.168.254.16:1812 to 192.168.254.20:53045 length 64 (35) EAP-Message = 0x013500060d00 (35) Message-Authenticator = 0x00000000000000000000000000000000 (35) State = 0x1dc655fe18f358f502bac633d68cc8fc (35) Finished request Waking up in 4.8 seconds. (36) Received Access-Request Id 41 from 192.168.254.20:53045 to 192.168.254.16:1812 length 1540 (36) User-Name = "F6PJ500VNTH0" (36) NAS-IP-Address = 192.168.254.20 (36) Framed-IP-Address = 192.168.254.49 (36) NAS-Identifier = "7a455839b642" (36) Called-Station-Id = "7A-45-58-39-B6-42:arendtsen-secure" (36) NAS-Port-Type = Wireless-802.11 (36) Service-Type = Framed-User (36) Calling-Station-Id = "64-0B-D7-DE-4A-44" (36) Connect-Info = "CONNECT 0Mbps 802.11a" (36) Acct-Session-Id = "017A2B97AB5E2AC9" (36) Acct-Multi-Session-Id = "45CDEC38FA7D45EA" (36) WLAN-Pairwise-Cipher = 1027081 (36) WLAN-Group-Cipher = 1027081 (36) WLAN-AKM-Suite = 1027084 (36) WLAN-Group-Mgmt-Cipher = 1027084 (36) Framed-MTU = 1400 (36) EAP-Message = 0x023504fc0d407d4b4626885f9b2d2ee89b3861413d77298f3e023b94e850cefb9e6de37835294e2751ab93b97fc1c4f8dfedaccc865d966a2f7ac5afdf9c2d75882b98e344034249f92e7b9c577977f7aad17efe1e1b61abe7376996c4655ec08f06a9481ba27284680d3c2237a6db38aa238ca258ac00ebdc6d3f55e46e7805ddd0fb716ad6e00399ed82ba21ffe076a6e01c764ab07ec431eb7476f43004191999e4a71638b2aaee9730ed472b147d8e56fd8f8f5a91c82a1a459ea854be39af75f7d5f971fa374bbb893ad8bb51b4dc341e5aedc15edfcd788f05bc25828f8d68b69f8b310fbe6aba64b5c37a99b237e0eef8c03d3c08fb3588d46ba7d1b82c4a0004ac308204a830820310a0030201020214714cce994724fbab9c091bbe8d98c700e39a3efb300d06092a864886f70d01010b050030253123302106035504030c1a4172656e647473656e20526f6f74204341203230323130383233301e170d3231313031313139313730385a170d323631303133 (36) State = 0x1dc655fe18f358f502bac633d68cc8fc (36) Message-Authenticator = 0xe1b5e0847cab7cdaf195186ebd7420a7 (36) Restoring &session-state (36) &session-state:Framed-MTU = 994 (36) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (36) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (36) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (36) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (36) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (36) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (36) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (36) authorize { (36) policy filter_username { (36) if (&User-Name) { (36) if (&User-Name) -> TRUE (36) if (&User-Name) { (36) if (&User-Name =~ / /) { (36) if (&User-Name =~ / /) -> FALSE (36) if (&User-Name =~ /@[^@]*@/ ) { (36) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (36) if (&User-Name =~ /\.\./ ) { (36) if (&User-Name =~ /\.\./ ) -> FALSE (36) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (36) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (36) if (&User-Name =~ /\.$/) { (36) if (&User-Name =~ /\.$/) -> FALSE (36) if (&User-Name =~ /@\./) { (36) if (&User-Name =~ /@\./) -> FALSE (36) } # if (&User-Name) = notfound (36) } # policy filter_username = notfound (36) [preprocess] = ok (36) suffix: Checking for suffix after "@" (36) suffix: No '@' in User-Name = "F6PJ500VNTH0", looking up realm NULL (36) suffix: No such realm "NULL" (36) [suffix] = noop (36) eap: Peer sent EAP Response (code 2) ID 53 length 1276 (36) eap: No EAP Start, assuming it's an on-going EAP conversation (36) [eap] = updated (36) [files] = noop rlm_ldap (ldap): Reserved connection (7) (36) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (36) ldap: --> (uid=F6PJ500VNTH0) (36) ldap: Performing search in "dc=users,dc=arendtsen,dc=dk" with filter "(uid=F6PJ500VNTH0)", scope "sub" (36) ldap: Waiting for search result... (36) ldap: User object found at DN "uid=F6PJ500VNTH0,ou=ipad,ou=devices,dc=users,dc=arendtsen,dc=dk" (36) ldap: Processing user attributes (36) ldap: control:Password-With-Header += 'F6PJ500VNTH0' rlm_ldap (ldap): Released connection (7) (36) [ldap] = updated (36) [expiration] = noop (36) [logintime] = noop (36) pap: No {...} in Password-With-Header, re-writing to Cleartext-Password (36) pap: Removing &control:Password-With-Header (36) pap: WARNING: Auth-Type already set. Not setting to PAP (36) [pap] = noop (36) } # authorize = updated (36) Found Auth-Type = eap (36) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (36) authenticate { (36) eap: Expiring EAP session with state 0x1dc655fe18f358f5 (36) eap: Finished EAP session with state 0x1dc655fe18f358f5 (36) eap: Previous EAP request found for state 0x1dc655fe18f358f5, released from the list (36) eap: Peer sent packet with method EAP TLS (13) (36) eap: Calling submodule eap_tls to process data (36) eap_tls: (TLS) EAP Got additional fragment (1270 bytes). Peer says more fragments will follow (36) eap_tls: (TLS) EAP ACKing fragment, the peer should send more data. (36) eap: Sending EAP Request (code 1) ID 54 length 6 (36) eap: EAP session adding &reply:State = 0x1dc655fe1bf058f5 (36) [eap] = handled (36) } # authenticate = handled (36) Using Post-Auth-Type Challenge (36) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (36) Challenge { ... } # empty sub-section is ignored (36) session-state: Saving cached attributes (36) Framed-MTU = 994 (36) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (36) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (36) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (36) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (36) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (36) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (36) Sent Access-Challenge Id 41 from 192.168.254.16:1812 to 192.168.254.20:53045 length 64 (36) EAP-Message = 0x013600060d00 (36) Message-Authenticator = 0x00000000000000000000000000000000 (36) State = 0x1dc655fe1bf058f502bac633d68cc8fc (36) Finished request Waking up in 4.8 seconds. (37) Received Access-Request Id 42 from 192.168.254.20:53045 to 192.168.254.16:1812 length 1540 (37) User-Name = "F6PJ500VNTH0" (37) NAS-IP-Address = 192.168.254.20 (37) Framed-IP-Address = 192.168.254.49 (37) NAS-Identifier = "7a455839b642" (37) Called-Station-Id = "7A-45-58-39-B6-42:arendtsen-secure" (37) NAS-Port-Type = Wireless-802.11 (37) Service-Type = Framed-User (37) Calling-Station-Id = "64-0B-D7-DE-4A-44" (37) Connect-Info = "CONNECT 0Mbps 802.11a" (37) Acct-Session-Id = "017A2B97AB5E2AC9" (37) Acct-Multi-Session-Id = "45CDEC38FA7D45EA" (37) WLAN-Pairwise-Cipher = 1027081 (37) WLAN-Group-Cipher = 1027081 (37) WLAN-AKM-Suite = 1027084 (37) WLAN-Group-Mgmt-Cipher = 1027084 (37) Framed-MTU = 1400 (37) EAP-Message = 0x023604fc0d40774a1d86a204d65556858a26fe4c0c29f00a5892de191045a9f00e600a749013c1b9184c43b0b246dfd5f9a590119b921a7fe52f2b9f3d98dffacd7a3e47a1ebd086446439168557137d936efe15a0c5f681daa949b4bac170b5f7de2243a0fe5b47a610883b41fbd44340c48b7f8707e03d4acea310bad731b4eb6bf4e49d8df130d535ac6642338f8d4e09b8c0b53281d535b0ebc2ca03c99cbaf192359a0d412dc70900e05ac47b14a0de768f23b5202b97cb5000043c30820438308202a0a00302010202147b4cf83e65f4f0080e65db4a8bbf787d00690640300d06092a864886f70d01010b050030253123302106035504030c1a4172656e647473656e20526f6f74204341203230323130383233301e170d3231303832333138303630325a170d3331303832363138303630325a30253123302106035504030c1a4172656e647473656e20526f6f74204341203230323130383233308201a2300d06092a864886f70d01010105000382018f0030 (37) State = 0x1dc655fe1bf058f502bac633d68cc8fc (37) Message-Authenticator = 0xd57a8d78c6d155d0b849a7b747d1874c (37) Restoring &session-state (37) &session-state:Framed-MTU = 994 (37) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (37) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (37) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (37) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (37) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (37) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (37) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (37) authorize { (37) policy filter_username { (37) if (&User-Name) { (37) if (&User-Name) -> TRUE (37) if (&User-Name) { (37) if (&User-Name =~ / /) { (37) if (&User-Name =~ / /) -> FALSE (37) if (&User-Name =~ /@[^@]*@/ ) { (37) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (37) if (&User-Name =~ /\.\./ ) { (37) if (&User-Name =~ /\.\./ ) -> FALSE (37) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (37) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (37) if (&User-Name =~ /\.$/) { (37) if (&User-Name =~ /\.$/) -> FALSE (37) if (&User-Name =~ /@\./) { (37) if (&User-Name =~ /@\./) -> FALSE (37) } # if (&User-Name) = notfound (37) } # policy filter_username = notfound (37) [preprocess] = ok (37) suffix: Checking for suffix after "@" (37) suffix: No '@' in User-Name = "F6PJ500VNTH0", looking up realm NULL (37) suffix: No such realm "NULL" (37) [suffix] = noop (37) eap: Peer sent EAP Response (code 2) ID 54 length 1276 (37) eap: No EAP Start, assuming it's an on-going EAP conversation (37) [eap] = updated (37) [files] = noop rlm_ldap (ldap): Reserved connection (8) (37) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (37) ldap: --> (uid=F6PJ500VNTH0) (37) ldap: Performing search in "dc=users,dc=arendtsen,dc=dk" with filter "(uid=F6PJ500VNTH0)", scope "sub" (37) ldap: Waiting for search result... (37) ldap: User object found at DN "uid=F6PJ500VNTH0,ou=ipad,ou=devices,dc=users,dc=arendtsen,dc=dk" (37) ldap: Processing user attributes (37) ldap: control:Password-With-Header += 'F6PJ500VNTH0' rlm_ldap (ldap): Released connection (8) (37) [ldap] = updated (37) [expiration] = noop (37) [logintime] = noop (37) pap: No {...} in Password-With-Header, re-writing to Cleartext-Password (37) pap: Removing &control:Password-With-Header (37) pap: WARNING: Auth-Type already set. Not setting to PAP (37) [pap] = noop (37) } # authorize = updated (37) Found Auth-Type = eap (37) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (37) authenticate { (37) eap: Expiring EAP session with state 0x1dc655fe1bf058f5 (37) eap: Finished EAP session with state 0x1dc655fe1bf058f5 (37) eap: Previous EAP request found for state 0x1dc655fe1bf058f5, released from the list (37) eap: Peer sent packet with method EAP TLS (13) (37) eap: Calling submodule eap_tls to process data (37) eap_tls: (TLS) EAP Got additional fragment (1270 bytes). Peer says more fragments will follow (37) eap_tls: (TLS) EAP ACKing fragment, the peer should send more data. (37) eap: Sending EAP Request (code 1) ID 55 length 6 (37) eap: EAP session adding &reply:State = 0x1dc655fe1af158f5 (37) [eap] = handled (37) } # authenticate = handled (37) Using Post-Auth-Type Challenge (37) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (37) Challenge { ... } # empty sub-section is ignored (37) session-state: Saving cached attributes (37) Framed-MTU = 994 (37) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (37) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (37) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (37) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (37) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (37) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (37) Sent Access-Challenge Id 42 from 192.168.254.16:1812 to 192.168.254.20:53045 length 64 (37) EAP-Message = 0x013700060d00 (37) Message-Authenticator = 0x00000000000000000000000000000000 (37) State = 0x1dc655fe1af158f502bac633d68cc8fc (37) Finished request Waking up in 4.8 seconds. (38) Received Access-Request Id 43 from 192.168.254.20:53045 to 192.168.254.16:1812 length 655 (38) User-Name = "F6PJ500VNTH0" (38) NAS-IP-Address = 192.168.254.20 (38) Framed-IP-Address = 192.168.254.49 (38) NAS-Identifier = "7a455839b642" (38) Called-Station-Id = "7A-45-58-39-B6-42:arendtsen-secure" (38) NAS-Port-Type = Wireless-802.11 (38) Service-Type = Framed-User (38) Calling-Station-Id = "64-0B-D7-DE-4A-44" (38) Connect-Info = "CONNECT 0Mbps 802.11a" (38) Acct-Session-Id = "017A2B97AB5E2AC9" (38) Acct-Multi-Session-Id = "45CDEC38FA7D45EA" (38) WLAN-Pairwise-Cipher = 1027081 (38) WLAN-Group-Cipher = 1027081 (38) WLAN-AKM-Suite = 1027084 (38) WLAN-Group-Mgmt-Cipher = 1027084 (38) Framed-MTU = 1400 (38) EAP-Message = 0x0237018f0d00030046100000424104a5c69d9e6eb972f785212dffbfcdf70e699688ead73fb13805a4dcebb6399dac3e8331c83855e68f3364d83df5da226f8f75d4da701bbe4c676fe83624f5a20016030301080f000104080401000d5ab35ba240b5fcb0a3b5be47363e9705e5dd7c3b341cc24ec502d3e41260526a89b1ef1d7f6aff00fe1e45ae9f5c864923d89ed27c037a0ecf623c54510281a4cd65bbee561306055bfcb00baf5a27f3791b2dc43b4e10c994edeac037d49b4c03c47b505dede3e106a47918b90cda81dde1b85b31abd2da33ab93507f4a1a8c5b4cd115f407a46989e78de3fbee6c6c5d0fa7c5cbc4cbff819e9634e0bd20457d64924e7b56d8c4d437a85a597932f926f6f0f30af41c0f50c99077d47508b376cddc0019125a758942ab64bfb84d70cb6e9e94fd49ea41f35043b56387e9335cac14a848cde943d3ab6e2a14db3d04b64ebc89057516c3b3336151e374771403030001011603030028000000000000000066e7322b7195e4a1 (38) State = 0x1dc655fe1af158f502bac633d68cc8fc (38) Message-Authenticator = 0x3683f0f2edfff2ff2a4c92cb46928d8d (38) Restoring &session-state (38) &session-state:Framed-MTU = 994 (38) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (38) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (38) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (38) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (38) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (38) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (38) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (38) authorize { (38) policy filter_username { (38) if (&User-Name) { (38) if (&User-Name) -> TRUE (38) if (&User-Name) { (38) if (&User-Name =~ / /) { (38) if (&User-Name =~ / /) -> FALSE (38) if (&User-Name =~ /@[^@]*@/ ) { (38) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (38) if (&User-Name =~ /\.\./ ) { (38) if (&User-Name =~ /\.\./ ) -> FALSE (38) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (38) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (38) if (&User-Name =~ /\.$/) { (38) if (&User-Name =~ /\.$/) -> FALSE (38) if (&User-Name =~ /@\./) { (38) if (&User-Name =~ /@\./) -> FALSE (38) } # if (&User-Name) = notfound (38) } # policy filter_username = notfound (38) [preprocess] = ok (38) suffix: Checking for suffix after "@" (38) suffix: No '@' in User-Name = "F6PJ500VNTH0", looking up realm NULL (38) suffix: No such realm "NULL" (38) [suffix] = noop (38) eap: Peer sent EAP Response (code 2) ID 55 length 399 (38) eap: No EAP Start, assuming it's an on-going EAP conversation (38) [eap] = updated (38) [files] = noop rlm_ldap (ldap): Reserved connection (7) (38) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (38) ldap: --> (uid=F6PJ500VNTH0) (38) ldap: Performing search in "dc=users,dc=arendtsen,dc=dk" with filter "(uid=F6PJ500VNTH0)", scope "sub" (38) ldap: Waiting for search result... (38) ldap: User object found at DN "uid=F6PJ500VNTH0,ou=ipad,ou=devices,dc=users,dc=arendtsen,dc=dk" (38) ldap: Processing user attributes (38) ldap: control:Password-With-Header += 'F6PJ500VNTH0' rlm_ldap (ldap): Released connection (7) (38) [ldap] = updated (38) [expiration] = noop (38) [logintime] = noop (38) pap: No {...} in Password-With-Header, re-writing to Cleartext-Password (38) pap: Removing &control:Password-With-Header (38) pap: WARNING: Auth-Type already set. Not setting to PAP (38) [pap] = noop (38) } # authorize = updated (38) Found Auth-Type = eap (38) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (38) authenticate { (38) eap: Expiring EAP session with state 0x1dc655fe1af158f5 (38) eap: Finished EAP session with state 0x1dc655fe1af158f5 (38) eap: Previous EAP request found for state 0x1dc655fe1af158f5, released from the list (38) eap: Peer sent packet with method EAP TLS (13) (38) eap: Calling submodule eap_tls to process data (38) eap_tls: (TLS) EAP Got final fragment (393 bytes) (38) eap_tls: (TLS) EAP Done initial handshake (38) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write server done (38) eap_tls: (TLS) recv TLS 1.2 Handshake, Certificate (38) eap_tls: (TLS) Creating attributes from ????? ?? certificate (38) eap_tls: (TLS) Creating attributes from server certificate (38) eap_tls: TLS-Cert-Serial := "714cce994724fbab9c091bbe8d98c700e39a3efb" (38) eap_tls: TLS-Cert-Expiration := "261013191708Z" (38) eap_tls: TLS-Cert-Valid-Since := "211011191708Z" (38) eap_tls: TLS-Cert-Subject := "/C=DK/O=Arendtsen/CN=Arendtsen Devices Issusing CA 20211011" (38) eap_tls: TLS-Cert-Issuer := "/CN=Arendtsen Root CA 20210823" (38) eap_tls: TLS-Cert-Common-Name := "Arendtsen Devices Issusing CA 20211011" (38) eap_tls: (TLS) Creating attributes from client certificate (38) eap_tls: TLS-Client-Cert-Serial := "6cff7e76695b0cf259f0" (38) eap_tls: TLS-Client-Cert-Expiration := "240731203959Z" (38) eap_tls: TLS-Client-Cert-Valid-Since := "230731203959Z" (38) eap_tls: TLS-Client-Cert-Subject := "/DC=dk/DC=arendtsen/DC=devices/OU=ipad/CN=F6PJ500VNTH0" (38) eap_tls: TLS-Client-Cert-Issuer := "/C=DK/O=Arendtsen/CN=Arendtsen Devices Issusing CA 20211011" (38) eap_tls: TLS-Client-Cert-Common-Name := "F6PJ500VNTH0" (38) eap_tls: TLS-Client-Cert-X509v3-Authority-Key-Identifier += "keyid:10:1C:A7:8C:D7:17:69:61:C6:0B:F3:8F:B2:D4:7E:EC:0D:11:82:27\n" (38) eap_tls: TLS-Client-Cert-X509v3-Basic-Constraints += "CA:FALSE" (38) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication" (38) eap_tls: TLS-Client-Cert-X509v3-Certificate-Policies += "Policy: 1.2.3.4\n CPS: http://pki.arendtsen.dk/cps.html\n CPS: http://pki.arendtsen.dk/cps.html\n User Notice:\n Explicit Text: This is a comment for policy oid 1.2.3.4\n" (38) eap_tls: TLS-Client-Cert-X509v3-Subject-Key-Identifier += "81:17:16:D4:F4:AC:85:99:09:6C:53:F2:B6:F5:EE:76:E0:88:45:EA" (38) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2" Certificate chain - 2 cert(s) untrusted (TLS) untrusted certificate with depth [2] subject name /CN=Arendtsen Root CA 20210823 (TLS) untrusted certificate with depth [1] subject name /C=DK/O=Arendtsen/CN=Arendtsen Devices Issusing CA 20211011 (TLS) untrusted certificate with depth [0] subject name /DC=dk/DC=arendtsen/DC=devices/OU=ipad/CN=F6PJ500VNTH0 (38) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read client certificate (38) eap_tls: (TLS) recv TLS 1.2 Handshake, ClientKeyExchange (38) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read client key exchange (38) eap_tls: (TLS) recv TLS 1.2 Handshake, CertificateVerify (38) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read certificate verify (38) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read change cipher spec (38) eap_tls: (TLS) recv TLS 1.2 Handshake, Finished (38) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read finished (38) eap_tls: (TLS) send TLS 1.2 ChangeCipherSpec (38) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write change cipher spec (38) eap_tls: (TLS) send TLS 1.2 Handshake, Finished (38) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write finished (38) eap_tls: (TLS) Handshake state - SSL negotiation finished successfully (38) eap_tls: (TLS) Connection Established (38) eap_tls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (38) eap_tls: TLS-Session-Version = "TLS 1.2" (38) eap: Sending EAP Request (code 1) ID 56 length 61 (38) eap: EAP session adding &reply:State = 0x1dc655fe15fe58f5 (38) [eap] = handled (38) } # authenticate = handled (38) Using Post-Auth-Type Challenge (38) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (38) Challenge { ... } # empty sub-section is ignored (38) session-state: Saving cached attributes (38) Framed-MTU = 994 (38) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (38) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (38) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (38) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (38) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (38) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (38) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Certificate" (38) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (38) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, CertificateVerify" (38) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (38) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (38) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (38) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (38) TLS-Session-Version = "TLS 1.2" (38) Sent Access-Challenge Id 43 from 192.168.254.16:1812 to 192.168.254.20:53045 length 119 (38) EAP-Message = 0x0138003d0d80000000331403030001011603030028586fdcd127f25d3a22202ac4cd8f0e74b9334be9ae7fd1e662e12b28ad1f7f54f7db41bd167857b5 (38) Message-Authenticator = 0x00000000000000000000000000000000 (38) State = 0x1dc655fe15fe58f502bac633d68cc8fc (38) Finished request Waking up in 4.8 seconds. (39) Received Access-Request Id 44 from 192.168.254.20:53045 to 192.168.254.16:1812 length 260 (39) User-Name = "F6PJ500VNTH0" (39) NAS-IP-Address = 192.168.254.20 (39) Framed-IP-Address = 192.168.254.49 (39) NAS-Identifier = "7a455839b642" (39) Called-Station-Id = "7A-45-58-39-B6-42:arendtsen-secure" (39) NAS-Port-Type = Wireless-802.11 (39) Service-Type = Framed-User (39) Calling-Station-Id = "64-0B-D7-DE-4A-44" (39) Connect-Info = "CONNECT 0Mbps 802.11a" (39) Acct-Session-Id = "017A2B97AB5E2AC9" (39) Acct-Multi-Session-Id = "45CDEC38FA7D45EA" (39) WLAN-Pairwise-Cipher = 1027081 (39) WLAN-Group-Cipher = 1027081 (39) WLAN-AKM-Suite = 1027084 (39) WLAN-Group-Mgmt-Cipher = 1027084 (39) Framed-MTU = 1400 (39) EAP-Message = 0x023800060d00 (39) State = 0x1dc655fe15fe58f502bac633d68cc8fc (39) Message-Authenticator = 0xa504a1b43f52ee3f36bdf276d6bc0ace (39) Restoring &session-state (39) &session-state:Framed-MTU = 994 (39) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (39) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (39) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (39) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (39) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (39) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (39) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Certificate" (39) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (39) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, CertificateVerify" (39) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (39) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (39) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (39) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (39) &session-state:TLS-Session-Version = "TLS 1.2" (39) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (39) authorize { (39) policy filter_username { (39) if (&User-Name) { (39) if (&User-Name) -> TRUE (39) if (&User-Name) { (39) if (&User-Name =~ / /) { (39) if (&User-Name =~ / /) -> FALSE (39) if (&User-Name =~ /@[^@]*@/ ) { (39) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (39) if (&User-Name =~ /\.\./ ) { (39) if (&User-Name =~ /\.\./ ) -> FALSE (39) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (39) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (39) if (&User-Name =~ /\.$/) { (39) if (&User-Name =~ /\.$/) -> FALSE (39) if (&User-Name =~ /@\./) { (39) if (&User-Name =~ /@\./) -> FALSE (39) } # if (&User-Name) = notfound (39) } # policy filter_username = notfound (39) [preprocess] = ok (39) suffix: Checking for suffix after "@" (39) suffix: No '@' in User-Name = "F6PJ500VNTH0", looking up realm NULL (39) suffix: No such realm "NULL" (39) [suffix] = noop (39) eap: Peer sent EAP Response (code 2) ID 56 length 6 (39) eap: No EAP Start, assuming it's an on-going EAP conversation (39) [eap] = updated (39) [files] = noop rlm_ldap (ldap): Reserved connection (8) (39) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (39) ldap: --> (uid=F6PJ500VNTH0) (39) ldap: Performing search in "dc=users,dc=arendtsen,dc=dk" with filter "(uid=F6PJ500VNTH0)", scope "sub" (39) ldap: Waiting for search result... (39) ldap: User object found at DN "uid=F6PJ500VNTH0,ou=ipad,ou=devices,dc=users,dc=arendtsen,dc=dk" (39) ldap: Processing user attributes (39) ldap: control:Password-With-Header += 'F6PJ500VNTH0' rlm_ldap (ldap): Released connection (8) (39) [ldap] = updated (39) [expiration] = noop (39) [logintime] = noop (39) pap: No {...} in Password-With-Header, re-writing to Cleartext-Password (39) pap: Removing &control:Password-With-Header (39) pap: WARNING: Auth-Type already set. Not setting to PAP (39) [pap] = noop (39) } # authorize = updated (39) Found Auth-Type = eap (39) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (39) authenticate { (39) eap: Expiring EAP session with state 0x1dc655fe15fe58f5 (39) eap: Finished EAP session with state 0x1dc655fe15fe58f5 (39) eap: Previous EAP request found for state 0x1dc655fe15fe58f5, released from the list (39) eap: Peer sent packet with method EAP TLS (13) (39) eap: Calling submodule eap_tls to process data (39) eap_tls: (TLS) Peer ACKed our handshake fragment. handshake is finished (39) eap_tls: Validating certificate (39) Virtual server check-eap-tls-arendtsen received request (39) User-Name = "F6PJ500VNTH0" (39) NAS-IP-Address = 192.168.254.20 (39) Framed-IP-Address = 192.168.254.49 (39) NAS-Identifier = "7a455839b642" (39) Called-Station-Id = "7A-45-58-39-B6-42:arendtsen-secure" (39) NAS-Port-Type = Wireless-802.11 (39) Service-Type = Framed-User (39) Calling-Station-Id = "64-0B-D7-DE-4A-44" (39) Connect-Info = "CONNECT 0Mbps 802.11a" (39) Acct-Session-Id = "017A2B97AB5E2AC9" (39) Acct-Multi-Session-Id = "45CDEC38FA7D45EA" (39) WLAN-Pairwise-Cipher = 1027081 (39) WLAN-Group-Cipher = 1027081 (39) WLAN-AKM-Suite = 1027084 (39) WLAN-Group-Mgmt-Cipher = 1027084 (39) Framed-MTU = 1400 (39) EAP-Message = 0x023800060d00 (39) State = 0x1dc655fe15fe58f502bac633d68cc8fc (39) Message-Authenticator = 0xa504a1b43f52ee3f36bdf276d6bc0ace (39) Event-Timestamp = "Aug 12 2023 16:45:29 CEST" (39) EAP-Type = TLS (39) TLS-Cert-Serial := "714cce994724fbab9c091bbe8d98c700e39a3efb" (39) TLS-Cert-Expiration := "261013191708Z" (39) TLS-Cert-Valid-Since := "211011191708Z" (39) TLS-Cert-Subject := "/C=DK/O=Arendtsen/CN=Arendtsen Devices Issusing CA 20211011" (39) TLS-Cert-Issuer := "/CN=Arendtsen Root CA 20210823" (39) TLS-Cert-Common-Name := "Arendtsen Devices Issusing CA 20211011" (39) TLS-Client-Cert-Serial := "6cff7e76695b0cf259f0" (39) TLS-Client-Cert-Expiration := "240731203959Z" (39) TLS-Client-Cert-Valid-Since := "230731203959Z" (39) TLS-Client-Cert-Subject := "/DC=dk/DC=arendtsen/DC=devices/OU=ipad/CN=F6PJ500VNTH0" (39) TLS-Client-Cert-Issuer := "/C=DK/O=Arendtsen/CN=Arendtsen Devices Issusing CA 20211011" (39) TLS-Client-Cert-Common-Name := "F6PJ500VNTH0" (39) TLS-Client-Cert-X509v3-Authority-Key-Identifier += "keyid:10:1C:A7:8C:D7:17:69:61:C6:0B:F3:8F:B2:D4:7E:EC:0D:11:82:27\n" (39) TLS-Client-Cert-X509v3-Basic-Constraints += "CA:FALSE" (39) TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication" (39) TLS-Client-Cert-X509v3-Certificate-Policies += "Policy: 1.2.3.4\n CPS: http://pki.arendtsen.dk/cps.html\n CPS: http://pki.arendtsen.dk/cps.html\n User Notice:\n Explicit Text: This is a comment for policy oid 1.2.3.4\n" (39) TLS-Client-Cert-X509v3-Subject-Key-Identifier += "81:17:16:D4:F4:AC:85:99:09:6C:53:F2:B6:F5:EE:76:E0:88:45:EA" (39) TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2" (39) WARNING: Outer and inner identities are the same. User privacy is compromised. (39) server check-eap-tls-arendtsen { (39) session-state: No cached attributes (39) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/check-eap-tls-arendtsen (39) authorize { (39) update config { (39) &Auth-Type := Accept (39) } # update config = noop (39) if (&User-Name == &TLS-Client-Cert-Common-Name) { (39) if (&User-Name == &TLS-Client-Cert-Common-Name) -> TRUE (39) if (&User-Name == &TLS-Client-Cert-Common-Name) { (39) update config { (39) &Auth-Type := Accept (39) } # update config = noop (39) } # if (&User-Name == &TLS-Client-Cert-Common-Name) = noop (39) ... skipping else: Preceding "if" was taken rlm_ldap (ldap): Reserved connection (7) (39) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (39) ldap: --> (uid=F6PJ500VNTH0) (39) ldap: Performing search in "dc=users,dc=arendtsen,dc=dk" with filter "(uid=F6PJ500VNTH0)", scope "sub" (39) ldap: Waiting for search result... (39) ldap: User object found at DN "uid=F6PJ500VNTH0,ou=ipad,ou=devices,dc=users,dc=arendtsen,dc=dk" (39) ldap: Processing user attributes (39) ldap: control:Password-With-Header += 'F6PJ500VNTH0' rlm_ldap (ldap): Released connection (7) (39) [ldap] = updated (39) if (Ldap-Group == "radius-vlan-*") { (39) Searching for user in group "radius-vlan-*" rlm_ldap (ldap): Reserved connection (8) (39) Using user DN from request "uid=F6PJ500VNTH0,ou=ipad,ou=devices,dc=users,dc=arendtsen,dc=dk" (39) Checking for user in group objects (39) EXPAND (&(cn=radius-vlan-*)(objectClass=posixGroup)(|(member=%{control:LDAP-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))) (39) --> (&(cn=radius-vlan-*)(objectClass=posixGroup)(|(member=uid\3dF6PJ500VNTH0\2cou\3dipad\2cou\3ddevices\2cdc\3dusers\2cdc\3darendtsen\2cdc\3ddk)(memberUid=F6PJ500VNTH0))) (39) Performing search in "dc=groups,dc=arendtsen,dc=dk" with filter "(&(cn=radius-vlan-*)(objectClass=posixGroup)(|(member=uid\3dF6PJ500VNTH0\2cou\3dipad\2cou\3ddevices\2cdc\3dusers\2cdc\3darendtsen\2cdc\3ddk)(memberUid=F6PJ500VNTH0)))", scope "sub" (39) Waiting for search result... (39) User found in group object "cn=radius-vlan-secure,ou=profiles,ou=network,dc=groups,dc=arendtsen,dc=dk" rlm_ldap (ldap): Released connection (8) (39) if (Ldap-Group == "radius-vlan-*") -> TRUE (39) if (Ldap-Group == "radius-vlan-*") { (39) update config { (39) &Auth-Type := Accept (39) } # update config = noop (39) } # if (Ldap-Group == "radius-vlan-*") = noop (39) [files] = noop (39) auth_log: EXPAND /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (39) auth_log: --> /var/log/radacct/192.168.254.20/auth-detail-20230812 (39) auth_log: /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radacct/192.168.254.20/auth-detail-20230812 (39) auth_log: EXPAND %t (39) auth_log: --> Sat Aug 12 16:45:29 2023 (39) [auth_log] = ok (39) } # authorize = updated (39) Found Auth-Type = Accept (39) Auth-Type = Accept, accepting the user (39) } # server check-eap-tls-arendtsen (39) Virtual server sending reply (39) eap: Sending EAP Success (code 3) ID 56 length 4 (39) eap: Freeing handler (39) [eap] = ok (39) } # authenticate = ok (39) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default (39) post-auth { (39) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { (39) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE (39) update { (39) &reply::Framed-MTU += &session-state:Framed-MTU[*] -> 994 (39) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.3 Handshake, ClientHello' (39) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, ServerHello' (39) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, Certificate' (39) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, ServerKeyExchange' (39) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, CertificateRequest' (39) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, ServerHelloDone' (39) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.2 Handshake, Certificate' (39) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.2 Handshake, ClientKeyExchange' (39) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.2 Handshake, CertificateVerify' (39) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.2 Handshake, Finished' (39) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 ChangeCipherSpec' (39) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, Finished' (39) &reply::TLS-Session-Cipher-Suite += &session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES256-GCM-SHA384' (39) &reply::TLS-Session-Version += &session-state:TLS-Session-Version[*] -> 'TLS 1.2' (39) } # update = noop (39) [exec] = noop (39) policy remove_reply_message_if_eap { (39) if (&reply:EAP-Message && &reply:Reply-Message) { (39) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (39) else { (39) [noop] = noop (39) } # else = noop (39) } # policy remove_reply_message_if_eap = noop (39) if (EAP-Key-Name && &reply:EAP-Session-Id) { (39) if (EAP-Key-Name && &reply:EAP-Session-Id) -> FALSE (39) } # post-auth = noop (39) Sent Access-Accept Id 44 from 192.168.254.16:1812 to 192.168.254.20:53045 length 180 (39) MS-MPPE-Recv-Key = 0xf857115146772b68ec02c4ae1b5a81476cbfba92b05039601f14d3ec5246f129 (39) MS-MPPE-Send-Key = 0x4a092a1f29f93511b9c29fbc4fa885cd342e285e042f16273fbc21526f3dcb3e (39) EAP-Message = 0x03380004 (39) Message-Authenticator = 0x00000000000000000000000000000000 (39) User-Name = "F6PJ500VNTH0" (39) Framed-MTU += 994 (39) Finished request Waking up in 4.8 seconds. (30) Cleaning up request packet ID 35 with timestamp +13850 due to cleanup_delay was reached (31) Cleaning up request packet ID 36 with timestamp +13850 due to cleanup_delay was reached (32) Cleaning up request packet ID 37 with timestamp +13850 due to cleanup_delay was reached (33) Cleaning up request packet ID 38 with timestamp +13850 due to cleanup_delay was reached (34) Cleaning up request packet ID 39 with timestamp +13850 due to cleanup_delay was reached (35) Cleaning up request packet ID 40 with timestamp +13850 due to cleanup_delay was reached (36) Cleaning up request packet ID 41 with timestamp +13850 due to cleanup_delay was reached (37) Cleaning up request packet ID 42 with timestamp +13850 due to cleanup_delay was reached (38) Cleaning up request packet ID 43 with timestamp +13850 due to cleanup_delay was reached (39) Cleaning up request packet ID 44 with timestamp +13850 due to cleanup_delay was reached Ready to process requests