(18) Received Access-Request Id 63 from 192.168.254.20:53045 to 192.168.254.16:1812 length 247 (18) User-Name = "F6PJ500VNTH0" (18) NAS-IP-Address = 192.168.254.20 (18) NAS-Identifier = "7a455839b642" (18) Called-Station-Id = "7A-45-58-39-B6-42:arendtsen-secure" (18) NAS-Port-Type = Wireless-802.11 (18) Service-Type = Framed-User (18) Calling-Station-Id = "64-0B-D7-DE-4A-44" (18) Connect-Info = "CONNECT 0Mbps 802.11a" (18) Acct-Session-Id = "C931B4760D7AD332" (18) Acct-Multi-Session-Id = "9E8F3E49C91FA6F6" (18) WLAN-Pairwise-Cipher = 1027081 (18) WLAN-Group-Cipher = 1027081 (18) WLAN-AKM-Suite = 1027084 (18) WLAN-Group-Mgmt-Cipher = 1027084 (18) Framed-MTU = 1400 (18) EAP-Message = 0x02d40011014636504a353030564e544830 (18) Message-Authenticator = 0x4fb3c6c233e58315646f7e2e5a7deb1b (18) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (18) authorize { (18) policy filter_username { (18) if (&User-Name) { (18) if (&User-Name) -> TRUE (18) if (&User-Name) { (18) if (&User-Name =~ / /) { (18) if (&User-Name =~ / /) -> FALSE (18) if (&User-Name =~ /@[^@]*@/ ) { (18) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (18) if (&User-Name =~ /\.\./ ) { (18) if (&User-Name =~ /\.\./ ) -> FALSE (18) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (18) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (18) if (&User-Name =~ /\.$/) { (18) if (&User-Name =~ /\.$/) -> FALSE (18) if (&User-Name =~ /@\./) { (18) if (&User-Name =~ /@\./) -> FALSE (18) } # if (&User-Name) = notfound (18) } # policy filter_username = notfound (18) [preprocess] = ok (18) suffix: Checking for suffix after "@" (18) suffix: No '@' in User-Name = "F6PJ500VNTH0", looking up realm NULL (18) suffix: No such realm "NULL" (18) [suffix] = noop (18) eap: Peer sent EAP Response (code 2) ID 212 length 17 (18) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (18) [eap] = ok (18) } # authorize = ok (18) Found Auth-Type = eap (18) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (18) authenticate { (18) eap: Peer sent packet with method EAP Identity (1) (18) eap: Calling submodule eap_tls to process data (18) eap_tls: (TLS) Initiating new session (18) eap_tls: (TLS) Setting verify mode to require certificate from client (18) eap: Sending EAP Request (code 1) ID 213 length 6 (18) eap: EAP session adding &reply:State = 0xeb52e275eb87efc1 (18) [eap] = handled (18) } # authenticate = handled (18) Using Post-Auth-Type Challenge (18) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (18) Challenge { ... } # empty sub-section is ignored (18) session-state: Saving cached attributes (18) Framed-MTU = 994 (18) Sent Access-Challenge Id 63 from 192.168.254.16:1812 to 192.168.254.20:53045 length 64 (18) EAP-Message = 0x01d500060d20 (18) Message-Authenticator = 0x00000000000000000000000000000000 (18) State = 0xeb52e275eb87efc1932f5b1261513358 (18) Finished request Waking up in 4.9 seconds. (19) Received Access-Request Id 64 from 192.168.254.20:53045 to 192.168.254.16:1812 length 412 (19) User-Name = "F6PJ500VNTH0" (19) NAS-IP-Address = 192.168.254.20 (19) NAS-Identifier = "7a455839b642" (19) Called-Station-Id = "7A-45-58-39-B6-42:arendtsen-secure" (19) NAS-Port-Type = Wireless-802.11 (19) Service-Type = Framed-User (19) Calling-Station-Id = "64-0B-D7-DE-4A-44" (19) Connect-Info = "CONNECT 0Mbps 802.11a" (19) Acct-Session-Id = "C931B4760D7AD332" (19) Acct-Multi-Session-Id = "9E8F3E49C91FA6F6" (19) WLAN-Pairwise-Cipher = 1027081 (19) WLAN-Group-Cipher = 1027081 (19) WLAN-AKM-Suite = 1027084 (19) WLAN-Group-Mgmt-Cipher = 1027084 (19) Framed-MTU = 1400 (19) EAP-Message = 0x02d500a40d800000009a16030100950100009103030a703f28501e5a736e22ad1fd8cdad5fdfa52d1262864910e40fe789b64faf19000022c02cc02bcca9c030c02fcca8c00ac009c014c013009d009c0035002fc008c012000a0100004600170000ff01000100000a000a0008001d001700180019000b00020100000500050100000000000d001800160403080404010503020308050805050108060601020100120000 (19) State = 0xeb52e275eb87efc1932f5b1261513358 (19) Message-Authenticator = 0xb4776e2fde370f95343593b99e70a04c (19) Restoring &session-state (19) &session-state:Framed-MTU = 994 (19) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (19) authorize { (19) policy filter_username { (19) if (&User-Name) { (19) if (&User-Name) -> TRUE (19) if (&User-Name) { (19) if (&User-Name =~ / /) { (19) if (&User-Name =~ / /) -> FALSE (19) if (&User-Name =~ /@[^@]*@/ ) { (19) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (19) if (&User-Name =~ /\.\./ ) { (19) if (&User-Name =~ /\.\./ ) -> FALSE (19) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (19) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (19) if (&User-Name =~ /\.$/) { (19) if (&User-Name =~ /\.$/) -> FALSE (19) if (&User-Name =~ /@\./) { (19) if (&User-Name =~ /@\./) -> FALSE (19) } # if (&User-Name) = notfound (19) } # policy filter_username = notfound (19) [preprocess] = ok (19) suffix: Checking for suffix after "@" (19) suffix: No '@' in User-Name = "F6PJ500VNTH0", looking up realm NULL (19) suffix: No such realm "NULL" (19) [suffix] = noop (19) eap: Peer sent EAP Response (code 2) ID 213 length 164 (19) eap: No EAP Start, assuming it's an on-going EAP conversation (19) [eap] = updated (19) [files] = noop rlm_ldap (ldap): Reserved connection (6) (19) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (19) ldap: --> (uid=F6PJ500VNTH0) (19) ldap: Performing search in "dc=users,dc=arendtsen,dc=dk" with filter "(uid=F6PJ500VNTH0)", scope "sub" (19) ldap: Waiting for search result... (19) ldap: User object found at DN "uid=F6PJ500VNTH0,ou=ipad,ou=devices,dc=users,dc=arendtsen,dc=dk" (19) ldap: EXPAND (&(objectClass=posixGroup)(|(member=%{control:LDAP-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))) (19) ldap: --> (&(objectClass=posixGroup)(|(member=uid\3dF6PJ500VNTH0\2cou\3dipad\2cou\3ddevices\2cdc\3dusers\2cdc\3darendtsen\2cdc\3ddk)(memberUid=F6PJ500VNTH0))) (19) ldap: Performing search in "dc=groups,dc=arendtsen,dc=dk" with filter "(&(objectClass=posixGroup)(|(member=uid\3dF6PJ500VNTH0\2cou\3dipad\2cou\3ddevices\2cdc\3dusers\2cdc\3darendtsen\2cdc\3ddk)(memberUid=F6PJ500VNTH0)))", scope "sub" (19) ldap: Waiting for search result... (19) ldap: Adding cacheable group object memberships (19) ldap: &control:LDAP-Group += "radius-vlan-secure" (19) ldap: Processing user attributes (19) ldap: control:Password-With-Header += 'F6PJ500VNTH0' rlm_ldap (ldap): Released connection (6) Need more connections to reach 5 spares rlm_ldap (ldap): Opening additional connection (7), 1 of 29 pending slots used rlm_ldap (ldap): Connecting to ldap://localhost:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Closing expired connection (5) - Hit idle_timeout limit rlm_ldap (ldap): Closing expired connection (0) - Hit idle_timeout limit (19) [ldap] = updated (19) [expiration] = noop (19) [logintime] = noop (19) pap: No {...} in Password-With-Header, re-writing to Cleartext-Password (19) pap: Removing &control:Password-With-Header (19) pap: WARNING: Auth-Type already set. Not setting to PAP (19) [pap] = noop (19) } # authorize = updated (19) Found Auth-Type = eap (19) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (19) authenticate { (19) eap: Expiring EAP session with state 0xeb52e275eb87efc1 (19) eap: Finished EAP session with state 0xeb52e275eb87efc1 (19) eap: Previous EAP request found for state 0xeb52e275eb87efc1, released from the list (19) eap: Peer sent packet with method EAP TLS (13) (19) eap: Calling submodule eap_tls to process data (19) eap_tls: (TLS) EAP Peer says that the final record size will be 154 bytes (19) eap_tls: (TLS) EAP Got all data (154 bytes) (19) eap_tls: (TLS) Handshake state - before SSL initialization (19) eap_tls: (TLS) Handshake state - Server before SSL initialization (19) eap_tls: (TLS) Handshake state - Server before SSL initialization (19) eap_tls: (TLS) recv TLS 1.3 Handshake, ClientHello (19) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read client hello (19) eap_tls: (TLS) send TLS 1.2 Handshake, ServerHello (19) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write server hello (19) eap_tls: (TLS) send TLS 1.2 Handshake, Certificate (19) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write certificate (19) eap_tls: (TLS) send TLS 1.2 Handshake, ServerKeyExchange (19) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write key exchange (19) eap_tls: (TLS) send TLS 1.2 Handshake, CertificateRequest (19) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write certificate request (19) eap_tls: (TLS) send TLS 1.2 Handshake, ServerHelloDone (19) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write server done (19) eap_tls: (TLS) Server : Need to read more data: SSLv3/TLS write server done (19) eap_tls: (TLS) In Handshake Phase (19) eap: Sending EAP Request (code 1) ID 214 length 1004 (19) eap: EAP session adding &reply:State = 0xeb52e275ea84efc1 (19) [eap] = handled (19) } # authenticate = handled (19) Using Post-Auth-Type Challenge (19) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (19) Challenge { ... } # empty sub-section is ignored (19) session-state: Saving cached attributes (19) Framed-MTU = 994 (19) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (19) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (19) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (19) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (19) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (19) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (19) Sent Access-Challenge Id 64 from 192.168.254.16:1812 to 192.168.254.20:53045 length 1068 (19) EAP-Message = 0x01d603ec0dc00000098f160303003d02000039030332bbf12b0cde9a37ca6c840b972d002c5d5c332a790f8d8197eb57751d1f935500c030000011ff01000100000b0004030001020017000016030307050b0007010006fe0006fb308206f73082055fa003020102020a4fff11373021e4b7f7d0300d06092a864886f70d01010b05003052310b300906035504061302444b31123010060355040a0c094172656e647473656e312f302d06035504030c264172656e647473656e2053657276657273204973737573696e67204341203230323131303130301e170d3233303732323232313430335a170d3234303132323232313430335a306a31123010060a0992268993f22c6401191602646b31193017060a0992268993f22c64011916096172656e647473656e31123010060a0992268993f22c640119160263613125302306035504030c1c6175746830322e696e7465726e616c2e6172656e647473656e2e646b308201a2300d06092a864886f70d010101050003 (19) Message-Authenticator = 0x00000000000000000000000000000000 (19) State = 0xeb52e275ea84efc1932f5b1261513358 (19) Finished request Waking up in 4.8 seconds. (20) Received Access-Request Id 65 from 192.168.254.20:53045 to 192.168.254.16:1812 length 254 (20) User-Name = "F6PJ500VNTH0" (20) NAS-IP-Address = 192.168.254.20 (20) NAS-Identifier = "7a455839b642" (20) Called-Station-Id = "7A-45-58-39-B6-42:arendtsen-secure" (20) NAS-Port-Type = Wireless-802.11 (20) Service-Type = Framed-User (20) Calling-Station-Id = "64-0B-D7-DE-4A-44" (20) Connect-Info = "CONNECT 0Mbps 802.11a" (20) Acct-Session-Id = "C931B4760D7AD332" (20) Acct-Multi-Session-Id = "9E8F3E49C91FA6F6" (20) WLAN-Pairwise-Cipher = 1027081 (20) WLAN-Group-Cipher = 1027081 (20) WLAN-AKM-Suite = 1027084 (20) WLAN-Group-Mgmt-Cipher = 1027084 (20) Framed-MTU = 1400 (20) EAP-Message = 0x02d600060d00 (20) State = 0xeb52e275ea84efc1932f5b1261513358 (20) Message-Authenticator = 0xce48adea51a5f1e54e88ad17ca37df6d (20) Restoring &session-state (20) &session-state:Framed-MTU = 994 (20) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (20) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (20) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (20) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (20) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (20) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (20) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (20) authorize { (20) policy filter_username { (20) if (&User-Name) { (20) if (&User-Name) -> TRUE (20) if (&User-Name) { (20) if (&User-Name =~ / /) { (20) if (&User-Name =~ / /) -> FALSE (20) if (&User-Name =~ /@[^@]*@/ ) { (20) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (20) if (&User-Name =~ /\.\./ ) { (20) if (&User-Name =~ /\.\./ ) -> FALSE (20) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (20) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (20) if (&User-Name =~ /\.$/) { (20) if (&User-Name =~ /\.$/) -> FALSE (20) if (&User-Name =~ /@\./) { (20) if (&User-Name =~ /@\./) -> FALSE (20) } # if (&User-Name) = notfound (20) } # policy filter_username = notfound (20) [preprocess] = ok (20) suffix: Checking for suffix after "@" (20) suffix: No '@' in User-Name = "F6PJ500VNTH0", looking up realm NULL (20) suffix: No such realm "NULL" (20) [suffix] = noop (20) eap: Peer sent EAP Response (code 2) ID 214 length 6 (20) eap: No EAP Start, assuming it's an on-going EAP conversation (20) [eap] = updated (20) [files] = noop rlm_ldap (ldap): Reserved connection (6) (20) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (20) ldap: --> (uid=F6PJ500VNTH0) (20) ldap: Performing search in "dc=users,dc=arendtsen,dc=dk" with filter "(uid=F6PJ500VNTH0)", scope "sub" (20) ldap: Waiting for search result... (20) ldap: User object found at DN "uid=F6PJ500VNTH0,ou=ipad,ou=devices,dc=users,dc=arendtsen,dc=dk" (20) ldap: EXPAND (&(objectClass=posixGroup)(|(member=%{control:LDAP-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))) (20) ldap: --> (&(objectClass=posixGroup)(|(member=uid\3dF6PJ500VNTH0\2cou\3dipad\2cou\3ddevices\2cdc\3dusers\2cdc\3darendtsen\2cdc\3ddk)(memberUid=F6PJ500VNTH0))) (20) ldap: Performing search in "dc=groups,dc=arendtsen,dc=dk" with filter "(&(objectClass=posixGroup)(|(member=uid\3dF6PJ500VNTH0\2cou\3dipad\2cou\3ddevices\2cdc\3dusers\2cdc\3darendtsen\2cdc\3ddk)(memberUid=F6PJ500VNTH0)))", scope "sub" (20) ldap: Waiting for search result... (20) ldap: Adding cacheable group object memberships (20) ldap: &control:LDAP-Group += "radius-vlan-secure" (20) ldap: Processing user attributes (20) ldap: control:Password-With-Header += 'F6PJ500VNTH0' rlm_ldap (ldap): Released connection (6) (20) [ldap] = updated (20) [expiration] = noop (20) [logintime] = noop (20) pap: No {...} in Password-With-Header, re-writing to Cleartext-Password (20) pap: Removing &control:Password-With-Header (20) pap: WARNING: Auth-Type already set. Not setting to PAP (20) [pap] = noop (20) } # authorize = updated (20) Found Auth-Type = eap (20) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (20) authenticate { (20) eap: Expiring EAP session with state 0xeb52e275ea84efc1 (20) eap: Finished EAP session with state 0xeb52e275ea84efc1 (20) eap: Previous EAP request found for state 0xeb52e275ea84efc1, released from the list (20) eap: Peer sent packet with method EAP TLS (13) (20) eap: Calling submodule eap_tls to process data (20) eap_tls: (TLS) Peer ACKed our handshake fragment (20) eap: Sending EAP Request (code 1) ID 215 length 1004 (20) eap: EAP session adding &reply:State = 0xeb52e275e985efc1 (20) [eap] = handled (20) } # authenticate = handled (20) Using Post-Auth-Type Challenge (20) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (20) Challenge { ... } # empty sub-section is ignored (20) session-state: Saving cached attributes (20) Framed-MTU = 994 (20) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (20) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (20) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (20) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (20) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (20) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (20) Sent Access-Challenge Id 65 from 192.168.254.16:1812 to 192.168.254.20:53045 length 1068 (20) EAP-Message = 0x01d703ec0dc00000098f2f706b692e6172656e647473656e2e646b2f646f776e6c6f61642f4172656e647473656e5f536572766572735f4973737573696e675f43415f32303231313031302e63726c30130603551d25040c300a06082b06010505070301300e0603551d0f0101ff0404030203a83081aa0603551d200481a230819f30819c06032a0304308194302c06082b060105050702011620687474703a2f2f706b692e6172656e647473656e2e646b2f6370732e68746d6c302c06082b060105050702011620687474703a2f2f706b692e6172656e647473656e2e646b2f6370732e68746d6c303606082b06010505070202302a1a2854686973206973206120636f6d6d656e7420666f7220706f6c696379206f696420312e322e332e3430819d0603551d11048195308192821a617574682e696e7465726e616c2e6172656e647473656e2e646b821c6175746830322e696e7465726e616c2e6172656e647473656e2e646b821c6c64617030322e696e746572 (20) Message-Authenticator = 0x00000000000000000000000000000000 (20) State = 0xeb52e275e985efc1932f5b1261513358 (20) Finished request Waking up in 4.8 seconds. (21) Received Access-Request Id 66 from 192.168.254.20:53045 to 192.168.254.16:1812 length 254 (21) User-Name = "F6PJ500VNTH0" (21) NAS-IP-Address = 192.168.254.20 (21) NAS-Identifier = "7a455839b642" (21) Called-Station-Id = "7A-45-58-39-B6-42:arendtsen-secure" (21) NAS-Port-Type = Wireless-802.11 (21) Service-Type = Framed-User (21) Calling-Station-Id = "64-0B-D7-DE-4A-44" (21) Connect-Info = "CONNECT 0Mbps 802.11a" (21) Acct-Session-Id = "C931B4760D7AD332" (21) Acct-Multi-Session-Id = "9E8F3E49C91FA6F6" (21) WLAN-Pairwise-Cipher = 1027081 (21) WLAN-Group-Cipher = 1027081 (21) WLAN-AKM-Suite = 1027084 (21) WLAN-Group-Mgmt-Cipher = 1027084 (21) Framed-MTU = 1400 (21) EAP-Message = 0x02d700060d00 (21) State = 0xeb52e275e985efc1932f5b1261513358 (21) Message-Authenticator = 0x4ff6b219efd02a30e32c11ea55fc536c (21) Restoring &session-state (21) &session-state:Framed-MTU = 994 (21) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (21) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (21) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (21) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (21) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (21) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (21) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (21) authorize { (21) policy filter_username { (21) if (&User-Name) { (21) if (&User-Name) -> TRUE (21) if (&User-Name) { (21) if (&User-Name =~ / /) { (21) if (&User-Name =~ / /) -> FALSE (21) if (&User-Name =~ /@[^@]*@/ ) { (21) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (21) if (&User-Name =~ /\.\./ ) { (21) if (&User-Name =~ /\.\./ ) -> FALSE (21) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (21) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (21) if (&User-Name =~ /\.$/) { (21) if (&User-Name =~ /\.$/) -> FALSE (21) if (&User-Name =~ /@\./) { (21) if (&User-Name =~ /@\./) -> FALSE (21) } # if (&User-Name) = notfound (21) } # policy filter_username = notfound (21) [preprocess] = ok (21) suffix: Checking for suffix after "@" (21) suffix: No '@' in User-Name = "F6PJ500VNTH0", looking up realm NULL (21) suffix: No such realm "NULL" (21) [suffix] = noop (21) eap: Peer sent EAP Response (code 2) ID 215 length 6 (21) eap: No EAP Start, assuming it's an on-going EAP conversation (21) [eap] = updated (21) [files] = noop rlm_ldap (ldap): Reserved connection (7) (21) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (21) ldap: --> (uid=F6PJ500VNTH0) (21) ldap: Performing search in "dc=users,dc=arendtsen,dc=dk" with filter "(uid=F6PJ500VNTH0)", scope "sub" (21) ldap: Waiting for search result... (21) ldap: User object found at DN "uid=F6PJ500VNTH0,ou=ipad,ou=devices,dc=users,dc=arendtsen,dc=dk" (21) ldap: EXPAND (&(objectClass=posixGroup)(|(member=%{control:LDAP-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))) (21) ldap: --> (&(objectClass=posixGroup)(|(member=uid\3dF6PJ500VNTH0\2cou\3dipad\2cou\3ddevices\2cdc\3dusers\2cdc\3darendtsen\2cdc\3ddk)(memberUid=F6PJ500VNTH0))) (21) ldap: Performing search in "dc=groups,dc=arendtsen,dc=dk" with filter "(&(objectClass=posixGroup)(|(member=uid\3dF6PJ500VNTH0\2cou\3dipad\2cou\3ddevices\2cdc\3dusers\2cdc\3darendtsen\2cdc\3ddk)(memberUid=F6PJ500VNTH0)))", scope "sub" (21) ldap: Waiting for search result... (21) ldap: Adding cacheable group object memberships (21) ldap: &control:LDAP-Group += "radius-vlan-secure" (21) ldap: Processing user attributes (21) ldap: control:Password-With-Header += 'F6PJ500VNTH0' rlm_ldap (ldap): Released connection (7) (21) [ldap] = updated (21) [expiration] = noop (21) [logintime] = noop (21) pap: No {...} in Password-With-Header, re-writing to Cleartext-Password (21) pap: Removing &control:Password-With-Header (21) pap: WARNING: Auth-Type already set. Not setting to PAP (21) [pap] = noop (21) } # authorize = updated (21) Found Auth-Type = eap (21) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (21) authenticate { (21) eap: Expiring EAP session with state 0xeb52e275e985efc1 (21) eap: Finished EAP session with state 0xeb52e275e985efc1 (21) eap: Previous EAP request found for state 0xeb52e275e985efc1, released from the list (21) eap: Peer sent packet with method EAP TLS (13) (21) eap: Calling submodule eap_tls to process data (21) eap_tls: (TLS) Peer ACKed our handshake fragment (21) eap: Sending EAP Request (code 1) ID 216 length 469 (21) eap: EAP session adding &reply:State = 0xeb52e275e88aefc1 (21) [eap] = handled (21) } # authenticate = handled (21) Using Post-Auth-Type Challenge (21) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (21) Challenge { ... } # empty sub-section is ignored (21) session-state: Saving cached attributes (21) Framed-MTU = 994 (21) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (21) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (21) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (21) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (21) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (21) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (21) Sent Access-Challenge Id 66 from 192.168.254.16:1812 to 192.168.254.20:53045 length 529 (21) EAP-Message = 0x01d801d50d800000098f7adc833807b86b98bf826bbe75d251c7ab9de1c688c47861a15de46596a609edcd9a1118f6bef0c4eba5fd7dcfbd02e2c6c07e72367411ab510c2647d4488b56c671825e616416869d326c7a36b226e0f8d4f3e3749ab2e03e48bfd6e60794f7a772832bc8a3221914e122ec4e0dade3abefc2c0689ba45eeed49bca0637065fcd1b7e47cf504d12f44d1cfd1b5f8f3fe9a15673c3bc0246f1cef94415930b063c5d78c9b276984b3c76099e22e13af8ee3c14b5b6064afaf1bfb863f33993a6cd1ddf5518e84806fc5dbdd7bc82388de4d50204741ee70e58fc4f8a81b0a17e4e60b6ccee3eca873482382523e4061772934ae45cadceb8ddc7e9729185a2c0ba73af154bb8d17ee5a695631adbc39f51fbfcd1db06a4ea246b300c9c38e0a786bdcfa7df09aada6a6eb88a826fe3112afc5c32ac5e3d37c669093be9e5c10d039f1c48451063ac0a3118afa0d2e5b18cb823c293a61348dbb916030300630d00005f03010240002e04030503 (21) Message-Authenticator = 0x00000000000000000000000000000000 (21) State = 0xeb52e275e88aefc1932f5b1261513358 (21) Finished request Waking up in 4.8 seconds. (22) Received Access-Request Id 67 from 192.168.254.20:53045 to 192.168.254.16:1812 length 1534 (22) User-Name = "F6PJ500VNTH0" (22) NAS-IP-Address = 192.168.254.20 (22) NAS-Identifier = "7a455839b642" (22) Called-Station-Id = "7A-45-58-39-B6-42:arendtsen-secure" (22) NAS-Port-Type = Wireless-802.11 (22) Service-Type = Framed-User (22) Calling-Station-Id = "64-0B-D7-DE-4A-44" (22) Connect-Info = "CONNECT 0Mbps 802.11a" (22) Acct-Session-Id = "C931B4760D7AD332" (22) Acct-Multi-Session-Id = "9E8F3E49C91FA6F6" (22) WLAN-Pairwise-Cipher = 1027081 (22) WLAN-Group-Cipher = 1027081 (22) WLAN-AKM-Suite = 1027084 (22) WLAN-Group-Mgmt-Cipher = 1027084 (22) Framed-MTU = 1400 (22) EAP-Message = 0x02d804fc0dc0000010671603030ed70b000ed3000ed00005df308205db30820443a003020102020a6cff7e76695b0cf259f0300d06092a864886f70d01010b05003052310b300906035504061302444b31123010060355040a0c094172656e647473656e312f302d06035504030c264172656e647473656e2044657669636573204973737573696e67204341203230323131303131301e170d3233303733313230333935395a170d3234303733313230333935395a306e31123010060a0992268993f22c6401191602646b31193017060a0992268993f22c64011916096172656e647473656e31173015060a0992268993f22c640119160764657669636573310d300b060355040b0c04697061643115301306035504030c0c4636504a353030564e54483030820122300d06092a864886f70d01010105000382010f003082010a0282010100ceb81cc2e73b30d8bebd5867d25e931f1522b3f4c1776622728fc42c6aa60366a2ceeabab822105dbbe9cf282fdb2a1543 (22) State = 0xeb52e275e88aefc1932f5b1261513358 (22) Message-Authenticator = 0xe45d93621928363555de48989d9708d7 (22) Restoring &session-state (22) &session-state:Framed-MTU = 994 (22) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (22) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (22) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (22) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (22) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (22) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (22) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (22) authorize { (22) policy filter_username { (22) if (&User-Name) { (22) if (&User-Name) -> TRUE (22) if (&User-Name) { (22) if (&User-Name =~ / /) { (22) if (&User-Name =~ / /) -> FALSE (22) if (&User-Name =~ /@[^@]*@/ ) { (22) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (22) if (&User-Name =~ /\.\./ ) { (22) if (&User-Name =~ /\.\./ ) -> FALSE (22) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (22) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (22) if (&User-Name =~ /\.$/) { (22) if (&User-Name =~ /\.$/) -> FALSE (22) if (&User-Name =~ /@\./) { (22) if (&User-Name =~ /@\./) -> FALSE (22) } # if (&User-Name) = notfound (22) } # policy filter_username = notfound (22) [preprocess] = ok (22) suffix: Checking for suffix after "@" (22) suffix: No '@' in User-Name = "F6PJ500VNTH0", looking up realm NULL (22) suffix: No such realm "NULL" (22) [suffix] = noop (22) eap: Peer sent EAP Response (code 2) ID 216 length 1276 (22) eap: No EAP Start, assuming it's an on-going EAP conversation (22) [eap] = updated (22) [files] = noop rlm_ldap (ldap): Reserved connection (6) (22) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (22) ldap: --> (uid=F6PJ500VNTH0) (22) ldap: Performing search in "dc=users,dc=arendtsen,dc=dk" with filter "(uid=F6PJ500VNTH0)", scope "sub" (22) ldap: Waiting for search result... (22) ldap: User object found at DN "uid=F6PJ500VNTH0,ou=ipad,ou=devices,dc=users,dc=arendtsen,dc=dk" (22) ldap: EXPAND (&(objectClass=posixGroup)(|(member=%{control:LDAP-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))) (22) ldap: --> (&(objectClass=posixGroup)(|(member=uid\3dF6PJ500VNTH0\2cou\3dipad\2cou\3ddevices\2cdc\3dusers\2cdc\3darendtsen\2cdc\3ddk)(memberUid=F6PJ500VNTH0))) (22) ldap: Performing search in "dc=groups,dc=arendtsen,dc=dk" with filter "(&(objectClass=posixGroup)(|(member=uid\3dF6PJ500VNTH0\2cou\3dipad\2cou\3ddevices\2cdc\3dusers\2cdc\3darendtsen\2cdc\3ddk)(memberUid=F6PJ500VNTH0)))", scope "sub" (22) ldap: Waiting for search result... (22) ldap: Adding cacheable group object memberships (22) ldap: &control:LDAP-Group += "radius-vlan-secure" (22) ldap: Processing user attributes (22) ldap: control:Password-With-Header += 'F6PJ500VNTH0' rlm_ldap (ldap): Released connection (6) (22) [ldap] = updated (22) [expiration] = noop (22) [logintime] = noop (22) pap: No {...} in Password-With-Header, re-writing to Cleartext-Password (22) pap: Removing &control:Password-With-Header (22) pap: WARNING: Auth-Type already set. Not setting to PAP (22) [pap] = noop (22) } # authorize = updated (22) Found Auth-Type = eap (22) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (22) authenticate { (22) eap: Expiring EAP session with state 0xeb52e275e88aefc1 (22) eap: Finished EAP session with state 0xeb52e275e88aefc1 (22) eap: Previous EAP request found for state 0xeb52e275e88aefc1, released from the list (22) eap: Peer sent packet with method EAP TLS (13) (22) eap: Calling submodule eap_tls to process data (22) eap_tls: (TLS) EAP Peer says that the final record size will be 4199 bytes (22) eap_tls: (TLS) EAP Expecting 4 fragments (22) eap_tls: (TLS) EAP Got first TLS fragment (1266 bytes). Peer says more fragments will follow (22) eap_tls: (TLS) EAP ACKing fragment, the peer should send more data. (22) eap: Sending EAP Request (code 1) ID 217 length 6 (22) eap: EAP session adding &reply:State = 0xeb52e275ef8befc1 (22) [eap] = handled (22) } # authenticate = handled (22) Using Post-Auth-Type Challenge (22) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (22) Challenge { ... } # empty sub-section is ignored (22) session-state: Saving cached attributes (22) Framed-MTU = 994 (22) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (22) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (22) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (22) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (22) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (22) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (22) Sent Access-Challenge Id 67 from 192.168.254.16:1812 to 192.168.254.20:53045 length 64 (22) EAP-Message = 0x01d900060d00 (22) Message-Authenticator = 0x00000000000000000000000000000000 (22) State = 0xeb52e275ef8befc1932f5b1261513358 (22) Finished request Waking up in 4.8 seconds. (23) Received Access-Request Id 68 from 192.168.254.20:53045 to 192.168.254.16:1812 length 1534 (23) User-Name = "F6PJ500VNTH0" (23) NAS-IP-Address = 192.168.254.20 (23) NAS-Identifier = "7a455839b642" (23) Called-Station-Id = "7A-45-58-39-B6-42:arendtsen-secure" (23) NAS-Port-Type = Wireless-802.11 (23) Service-Type = Framed-User (23) Calling-Station-Id = "64-0B-D7-DE-4A-44" (23) Connect-Info = "CONNECT 0Mbps 802.11a" (23) Acct-Session-Id = "C931B4760D7AD332" (23) Acct-Multi-Session-Id = "9E8F3E49C91FA6F6" (23) WLAN-Pairwise-Cipher = 1027081 (23) WLAN-Group-Cipher = 1027081 (23) WLAN-AKM-Suite = 1027084 (23) WLAN-Group-Mgmt-Cipher = 1027084 (23) Framed-MTU = 1400 (23) EAP-Message = 0x02d904fc0d407d4b4626885f9b2d2ee89b3861413d77298f3e023b94e850cefb9e6de37835294e2751ab93b97fc1c4f8dfedaccc865d966a2f7ac5afdf9c2d75882b98e344034249f92e7b9c577977f7aad17efe1e1b61abe7376996c4655ec08f06a9481ba27284680d3c2237a6db38aa238ca258ac00ebdc6d3f55e46e7805ddd0fb716ad6e00399ed82ba21ffe076a6e01c764ab07ec431eb7476f43004191999e4a71638b2aaee9730ed472b147d8e56fd8f8f5a91c82a1a459ea854be39af75f7d5f971fa374bbb893ad8bb51b4dc341e5aedc15edfcd788f05bc25828f8d68b69f8b310fbe6aba64b5c37a99b237e0eef8c03d3c08fb3588d46ba7d1b82c4a0004ac308204a830820310a0030201020214714cce994724fbab9c091bbe8d98c700e39a3efb300d06092a864886f70d01010b050030253123302106035504030c1a4172656e647473656e20526f6f74204341203230323130383233301e170d3231313031313139313730385a170d323631303133 (23) State = 0xeb52e275ef8befc1932f5b1261513358 (23) Message-Authenticator = 0x9bc377bf7fa724caac7c03b6728fc421 (23) Restoring &session-state (23) &session-state:Framed-MTU = 994 (23) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (23) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (23) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (23) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (23) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (23) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (23) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (23) authorize { (23) policy filter_username { (23) if (&User-Name) { (23) if (&User-Name) -> TRUE (23) if (&User-Name) { (23) if (&User-Name =~ / /) { (23) if (&User-Name =~ / /) -> FALSE (23) if (&User-Name =~ /@[^@]*@/ ) { (23) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (23) if (&User-Name =~ /\.\./ ) { (23) if (&User-Name =~ /\.\./ ) -> FALSE (23) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (23) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (23) if (&User-Name =~ /\.$/) { (23) if (&User-Name =~ /\.$/) -> FALSE (23) if (&User-Name =~ /@\./) { (23) if (&User-Name =~ /@\./) -> FALSE (23) } # if (&User-Name) = notfound (23) } # policy filter_username = notfound (23) [preprocess] = ok (23) suffix: Checking for suffix after "@" (23) suffix: No '@' in User-Name = "F6PJ500VNTH0", looking up realm NULL (23) suffix: No such realm "NULL" (23) [suffix] = noop (23) eap: Peer sent EAP Response (code 2) ID 217 length 1276 (23) eap: No EAP Start, assuming it's an on-going EAP conversation (23) [eap] = updated (23) [files] = noop rlm_ldap (ldap): Reserved connection (7) (23) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (23) ldap: --> (uid=F6PJ500VNTH0) (23) ldap: Performing search in "dc=users,dc=arendtsen,dc=dk" with filter "(uid=F6PJ500VNTH0)", scope "sub" (23) ldap: Waiting for search result... (23) ldap: User object found at DN "uid=F6PJ500VNTH0,ou=ipad,ou=devices,dc=users,dc=arendtsen,dc=dk" (23) ldap: EXPAND (&(objectClass=posixGroup)(|(member=%{control:LDAP-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))) (23) ldap: --> (&(objectClass=posixGroup)(|(member=uid\3dF6PJ500VNTH0\2cou\3dipad\2cou\3ddevices\2cdc\3dusers\2cdc\3darendtsen\2cdc\3ddk)(memberUid=F6PJ500VNTH0))) (23) ldap: Performing search in "dc=groups,dc=arendtsen,dc=dk" with filter "(&(objectClass=posixGroup)(|(member=uid\3dF6PJ500VNTH0\2cou\3dipad\2cou\3ddevices\2cdc\3dusers\2cdc\3darendtsen\2cdc\3ddk)(memberUid=F6PJ500VNTH0)))", scope "sub" (23) ldap: Waiting for search result... (23) ldap: Adding cacheable group object memberships (23) ldap: &control:LDAP-Group += "radius-vlan-secure" (23) ldap: Processing user attributes (23) ldap: control:Password-With-Header += 'F6PJ500VNTH0' rlm_ldap (ldap): Released connection (7) (23) [ldap] = updated (23) [expiration] = noop (23) [logintime] = noop (23) pap: No {...} in Password-With-Header, re-writing to Cleartext-Password (23) pap: Removing &control:Password-With-Header (23) pap: WARNING: Auth-Type already set. Not setting to PAP (23) [pap] = noop (23) } # authorize = updated (23) Found Auth-Type = eap (23) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (23) authenticate { (23) eap: Expiring EAP session with state 0xeb52e275ef8befc1 (23) eap: Finished EAP session with state 0xeb52e275ef8befc1 (23) eap: Previous EAP request found for state 0xeb52e275ef8befc1, released from the list (23) eap: Peer sent packet with method EAP TLS (13) (23) eap: Calling submodule eap_tls to process data (23) eap_tls: (TLS) EAP Got additional fragment (1270 bytes). Peer says more fragments will follow (23) eap_tls: (TLS) EAP ACKing fragment, the peer should send more data. (23) eap: Sending EAP Request (code 1) ID 218 length 6 (23) eap: EAP session adding &reply:State = 0xeb52e275ee88efc1 (23) [eap] = handled (23) } # authenticate = handled (23) Using Post-Auth-Type Challenge (23) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (23) Challenge { ... } # empty sub-section is ignored (23) session-state: Saving cached attributes (23) Framed-MTU = 994 (23) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (23) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (23) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (23) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (23) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (23) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (23) Sent Access-Challenge Id 68 from 192.168.254.16:1812 to 192.168.254.20:53045 length 64 (23) EAP-Message = 0x01da00060d00 (23) Message-Authenticator = 0x00000000000000000000000000000000 (23) State = 0xeb52e275ee88efc1932f5b1261513358 (23) Finished request Waking up in 4.8 seconds. (24) Received Access-Request Id 69 from 192.168.254.20:53045 to 192.168.254.16:1812 length 1534 (24) User-Name = "F6PJ500VNTH0" (24) NAS-IP-Address = 192.168.254.20 (24) NAS-Identifier = "7a455839b642" (24) Called-Station-Id = "7A-45-58-39-B6-42:arendtsen-secure" (24) NAS-Port-Type = Wireless-802.11 (24) Service-Type = Framed-User (24) Calling-Station-Id = "64-0B-D7-DE-4A-44" (24) Connect-Info = "CONNECT 0Mbps 802.11a" (24) Acct-Session-Id = "C931B4760D7AD332" (24) Acct-Multi-Session-Id = "9E8F3E49C91FA6F6" (24) WLAN-Pairwise-Cipher = 1027081 (24) WLAN-Group-Cipher = 1027081 (24) WLAN-AKM-Suite = 1027084 (24) WLAN-Group-Mgmt-Cipher = 1027084 (24) Framed-MTU = 1400 (24) EAP-Message = 0x02da04fc0d40774a1d86a204d65556858a26fe4c0c29f00a5892de191045a9f00e600a749013c1b9184c43b0b246dfd5f9a590119b921a7fe52f2b9f3d98dffacd7a3e47a1ebd086446439168557137d936efe15a0c5f681daa949b4bac170b5f7de2243a0fe5b47a610883b41fbd44340c48b7f8707e03d4acea310bad731b4eb6bf4e49d8df130d535ac6642338f8d4e09b8c0b53281d535b0ebc2ca03c99cbaf192359a0d412dc70900e05ac47b14a0de768f23b5202b97cb5000043c30820438308202a0a00302010202147b4cf83e65f4f0080e65db4a8bbf787d00690640300d06092a864886f70d01010b050030253123302106035504030c1a4172656e647473656e20526f6f74204341203230323130383233301e170d3231303832333138303630325a170d3331303832363138303630325a30253123302106035504030c1a4172656e647473656e20526f6f74204341203230323130383233308201a2300d06092a864886f70d01010105000382018f0030 (24) State = 0xeb52e275ee88efc1932f5b1261513358 (24) Message-Authenticator = 0x51a2449ca66ffaa0654ccf69d95f6018 (24) Restoring &session-state (24) &session-state:Framed-MTU = 994 (24) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (24) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (24) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (24) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (24) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (24) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (24) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (24) authorize { (24) policy filter_username { (24) if (&User-Name) { (24) if (&User-Name) -> TRUE (24) if (&User-Name) { (24) if (&User-Name =~ / /) { (24) if (&User-Name =~ / /) -> FALSE (24) if (&User-Name =~ /@[^@]*@/ ) { (24) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (24) if (&User-Name =~ /\.\./ ) { (24) if (&User-Name =~ /\.\./ ) -> FALSE (24) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (24) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (24) if (&User-Name =~ /\.$/) { (24) if (&User-Name =~ /\.$/) -> FALSE (24) if (&User-Name =~ /@\./) { (24) if (&User-Name =~ /@\./) -> FALSE (24) } # if (&User-Name) = notfound (24) } # policy filter_username = notfound (24) [preprocess] = ok (24) suffix: Checking for suffix after "@" (24) suffix: No '@' in User-Name = "F6PJ500VNTH0", looking up realm NULL (24) suffix: No such realm "NULL" (24) [suffix] = noop (24) eap: Peer sent EAP Response (code 2) ID 218 length 1276 (24) eap: No EAP Start, assuming it's an on-going EAP conversation (24) [eap] = updated (24) [files] = noop rlm_ldap (ldap): Reserved connection (6) (24) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (24) ldap: --> (uid=F6PJ500VNTH0) (24) ldap: Performing search in "dc=users,dc=arendtsen,dc=dk" with filter "(uid=F6PJ500VNTH0)", scope "sub" (24) ldap: Waiting for search result... (24) ldap: User object found at DN "uid=F6PJ500VNTH0,ou=ipad,ou=devices,dc=users,dc=arendtsen,dc=dk" (24) ldap: EXPAND (&(objectClass=posixGroup)(|(member=%{control:LDAP-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))) (24) ldap: --> (&(objectClass=posixGroup)(|(member=uid\3dF6PJ500VNTH0\2cou\3dipad\2cou\3ddevices\2cdc\3dusers\2cdc\3darendtsen\2cdc\3ddk)(memberUid=F6PJ500VNTH0))) (24) ldap: Performing search in "dc=groups,dc=arendtsen,dc=dk" with filter "(&(objectClass=posixGroup)(|(member=uid\3dF6PJ500VNTH0\2cou\3dipad\2cou\3ddevices\2cdc\3dusers\2cdc\3darendtsen\2cdc\3ddk)(memberUid=F6PJ500VNTH0)))", scope "sub" (24) ldap: Waiting for search result... (24) ldap: Adding cacheable group object memberships (24) ldap: &control:LDAP-Group += "radius-vlan-secure" (24) ldap: Processing user attributes (24) ldap: control:Password-With-Header += 'F6PJ500VNTH0' rlm_ldap (ldap): Released connection (6) (24) [ldap] = updated (24) [expiration] = noop (24) [logintime] = noop (24) pap: No {...} in Password-With-Header, re-writing to Cleartext-Password (24) pap: Removing &control:Password-With-Header (24) pap: WARNING: Auth-Type already set. Not setting to PAP (24) [pap] = noop (24) } # authorize = updated (24) Found Auth-Type = eap (24) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (24) authenticate { (24) eap: Expiring EAP session with state 0xeb52e275ee88efc1 (24) eap: Finished EAP session with state 0xeb52e275ee88efc1 (24) eap: Previous EAP request found for state 0xeb52e275ee88efc1, released from the list (24) eap: Peer sent packet with method EAP TLS (13) (24) eap: Calling submodule eap_tls to process data (24) eap_tls: (TLS) EAP Got additional fragment (1270 bytes). Peer says more fragments will follow (24) eap_tls: (TLS) EAP ACKing fragment, the peer should send more data. (24) eap: Sending EAP Request (code 1) ID 219 length 6 (24) eap: EAP session adding &reply:State = 0xeb52e275ed89efc1 (24) [eap] = handled (24) } # authenticate = handled (24) Using Post-Auth-Type Challenge (24) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (24) Challenge { ... } # empty sub-section is ignored (24) session-state: Saving cached attributes (24) Framed-MTU = 994 (24) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (24) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (24) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (24) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (24) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (24) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (24) Sent Access-Challenge Id 69 from 192.168.254.16:1812 to 192.168.254.20:53045 length 64 (24) EAP-Message = 0x01db00060d00 (24) Message-Authenticator = 0x00000000000000000000000000000000 (24) State = 0xeb52e275ed89efc1932f5b1261513358 (24) Finished request Waking up in 4.8 seconds. (25) Received Access-Request Id 70 from 192.168.254.20:53045 to 192.168.254.16:1812 length 649 (25) User-Name = "F6PJ500VNTH0" (25) NAS-IP-Address = 192.168.254.20 (25) NAS-Identifier = "7a455839b642" (25) Called-Station-Id = "7A-45-58-39-B6-42:arendtsen-secure" (25) NAS-Port-Type = Wireless-802.11 (25) Service-Type = Framed-User (25) Calling-Station-Id = "64-0B-D7-DE-4A-44" (25) Connect-Info = "CONNECT 0Mbps 802.11a" (25) Acct-Session-Id = "C931B4760D7AD332" (25) Acct-Multi-Session-Id = "9E8F3E49C91FA6F6" (25) WLAN-Pairwise-Cipher = 1027081 (25) WLAN-Group-Cipher = 1027081 (25) WLAN-AKM-Suite = 1027084 (25) WLAN-Group-Mgmt-Cipher = 1027084 (25) Framed-MTU = 1400 (25) EAP-Message = 0x02db018f0d00030046100000424104a2c0d6c9ea38385ced2f2af58438c034edf79fb06a6978af38ea8802260fbb924fb5efa7b468178633018a9681cd134a3c0a85531293ba7b815b648b3ce280b116030301080f00010408040100758eaadc9e5a3132ecb783e80bcf1ad8040cc5c914c29a7e4bdf1744d368d65f2793172342886fa264e71f32df568eb9f209bceb62e37b10b7aaefa7df2f8a6d1f6b7954cc3312b54bacaa8bd3443fef5747bda5459ed4dba5b5493aeba6a275017c00d8e105fc0dc269c2c4ba36013f6702a7fea528749bc39b2ed3aa50676aa71a51171962a9bd32d3898651dc621b923dd46706922ea16aca42f8f2509868ae15f78301c559636d98a2613428e352cc403fbc5b190509615cd3d2a694da1c405da576e462022d119a0712c7886c509e0db79bc864c5e42812409fa6363a8bc3e6524ba8afed842929bea90cbb9cdaa4ffee0703a9febc6bc5a60f3698cfe41403030001011603030028000000000000000096df74dd77442b6f (25) State = 0xeb52e275ed89efc1932f5b1261513358 (25) Message-Authenticator = 0xcd0cda7e0d85dcfaecaa1f0eac876410 (25) Restoring &session-state (25) &session-state:Framed-MTU = 994 (25) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (25) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (25) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (25) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (25) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (25) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (25) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (25) authorize { (25) policy filter_username { (25) if (&User-Name) { (25) if (&User-Name) -> TRUE (25) if (&User-Name) { (25) if (&User-Name =~ / /) { (25) if (&User-Name =~ / /) -> FALSE (25) if (&User-Name =~ /@[^@]*@/ ) { (25) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (25) if (&User-Name =~ /\.\./ ) { (25) if (&User-Name =~ /\.\./ ) -> FALSE (25) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (25) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (25) if (&User-Name =~ /\.$/) { (25) if (&User-Name =~ /\.$/) -> FALSE (25) if (&User-Name =~ /@\./) { (25) if (&User-Name =~ /@\./) -> FALSE (25) } # if (&User-Name) = notfound (25) } # policy filter_username = notfound (25) [preprocess] = ok (25) suffix: Checking for suffix after "@" (25) suffix: No '@' in User-Name = "F6PJ500VNTH0", looking up realm NULL (25) suffix: No such realm "NULL" (25) [suffix] = noop (25) eap: Peer sent EAP Response (code 2) ID 219 length 399 (25) eap: No EAP Start, assuming it's an on-going EAP conversation (25) [eap] = updated (25) [files] = noop rlm_ldap (ldap): Reserved connection (7) (25) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (25) ldap: --> (uid=F6PJ500VNTH0) (25) ldap: Performing search in "dc=users,dc=arendtsen,dc=dk" with filter "(uid=F6PJ500VNTH0)", scope "sub" (25) ldap: Waiting for search result... (25) ldap: User object found at DN "uid=F6PJ500VNTH0,ou=ipad,ou=devices,dc=users,dc=arendtsen,dc=dk" (25) ldap: EXPAND (&(objectClass=posixGroup)(|(member=%{control:LDAP-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))) (25) ldap: --> (&(objectClass=posixGroup)(|(member=uid\3dF6PJ500VNTH0\2cou\3dipad\2cou\3ddevices\2cdc\3dusers\2cdc\3darendtsen\2cdc\3ddk)(memberUid=F6PJ500VNTH0))) (25) ldap: Performing search in "dc=groups,dc=arendtsen,dc=dk" with filter "(&(objectClass=posixGroup)(|(member=uid\3dF6PJ500VNTH0\2cou\3dipad\2cou\3ddevices\2cdc\3dusers\2cdc\3darendtsen\2cdc\3ddk)(memberUid=F6PJ500VNTH0)))", scope "sub" (25) ldap: Waiting for search result... (25) ldap: Adding cacheable group object memberships (25) ldap: &control:LDAP-Group += "radius-vlan-secure" (25) ldap: Processing user attributes (25) ldap: control:Password-With-Header += 'F6PJ500VNTH0' rlm_ldap (ldap): Released connection (7) (25) [ldap] = updated (25) [expiration] = noop (25) [logintime] = noop (25) pap: No {...} in Password-With-Header, re-writing to Cleartext-Password (25) pap: Removing &control:Password-With-Header (25) pap: WARNING: Auth-Type already set. Not setting to PAP (25) [pap] = noop (25) } # authorize = updated (25) Found Auth-Type = eap (25) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (25) authenticate { (25) eap: Expiring EAP session with state 0xeb52e275ed89efc1 (25) eap: Finished EAP session with state 0xeb52e275ed89efc1 (25) eap: Previous EAP request found for state 0xeb52e275ed89efc1, released from the list (25) eap: Peer sent packet with method EAP TLS (13) (25) eap: Calling submodule eap_tls to process data (25) eap_tls: (TLS) EAP Got final fragment (393 bytes) (25) eap_tls: (TLS) EAP Done initial handshake (25) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write server done (25) eap_tls: (TLS) recv TLS 1.2 Handshake, Certificate (25) eap_tls: (TLS) Creating attributes from ????? ?? certificate (25) eap_tls: (TLS) Creating attributes from server certificate (25) eap_tls: TLS-Cert-Serial := "714cce994724fbab9c091bbe8d98c700e39a3efb" (25) eap_tls: TLS-Cert-Expiration := "261013191708Z" (25) eap_tls: TLS-Cert-Valid-Since := "211011191708Z" (25) eap_tls: TLS-Cert-Subject := "/C=DK/O=Arendtsen/CN=Arendtsen Devices Issusing CA 20211011" (25) eap_tls: TLS-Cert-Issuer := "/CN=Arendtsen Root CA 20210823" (25) eap_tls: TLS-Cert-Common-Name := "Arendtsen Devices Issusing CA 20211011" (25) eap_tls: (TLS) Creating attributes from client certificate (25) eap_tls: TLS-Client-Cert-Serial := "6cff7e76695b0cf259f0" (25) eap_tls: TLS-Client-Cert-Expiration := "240731203959Z" (25) eap_tls: TLS-Client-Cert-Valid-Since := "230731203959Z" (25) eap_tls: TLS-Client-Cert-Subject := "/DC=dk/DC=arendtsen/DC=devices/OU=ipad/CN=F6PJ500VNTH0" (25) eap_tls: TLS-Client-Cert-Issuer := "/C=DK/O=Arendtsen/CN=Arendtsen Devices Issusing CA 20211011" (25) eap_tls: TLS-Client-Cert-Common-Name := "F6PJ500VNTH0" (25) eap_tls: TLS-Client-Cert-X509v3-Authority-Key-Identifier += "keyid:10:1C:A7:8C:D7:17:69:61:C6:0B:F3:8F:B2:D4:7E:EC:0D:11:82:27\n" (25) eap_tls: TLS-Client-Cert-X509v3-Basic-Constraints += "CA:FALSE" (25) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication" (25) eap_tls: TLS-Client-Cert-X509v3-Certificate-Policies += "Policy: 1.2.3.4\n CPS: http://pki.arendtsen.dk/cps.html\n CPS: http://pki.arendtsen.dk/cps.html\n User Notice:\n Explicit Text: This is a comment for policy oid 1.2.3.4\n" (25) eap_tls: TLS-Client-Cert-X509v3-Subject-Key-Identifier += "81:17:16:D4:F4:AC:85:99:09:6C:53:F2:B6:F5:EE:76:E0:88:45:EA" (25) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2" Certificate chain - 2 cert(s) untrusted (TLS) untrusted certificate with depth [2] subject name /CN=Arendtsen Root CA 20210823 (TLS) untrusted certificate with depth [1] subject name /C=DK/O=Arendtsen/CN=Arendtsen Devices Issusing CA 20211011 (TLS) untrusted certificate with depth [0] subject name /DC=dk/DC=arendtsen/DC=devices/OU=ipad/CN=F6PJ500VNTH0 (25) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read client certificate (25) eap_tls: (TLS) recv TLS 1.2 Handshake, ClientKeyExchange (25) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read client key exchange (25) eap_tls: (TLS) recv TLS 1.2 Handshake, CertificateVerify (25) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read certificate verify (25) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read change cipher spec (25) eap_tls: (TLS) recv TLS 1.2 Handshake, Finished (25) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read finished (25) eap_tls: (TLS) send TLS 1.2 ChangeCipherSpec (25) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write change cipher spec (25) eap_tls: (TLS) send TLS 1.2 Handshake, Finished (25) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write finished (25) eap_tls: (TLS) Handshake state - SSL negotiation finished successfully (25) eap_tls: (TLS) Connection Established (25) eap_tls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (25) eap_tls: TLS-Session-Version = "TLS 1.2" (25) eap: Sending EAP Request (code 1) ID 220 length 61 (25) eap: EAP session adding &reply:State = 0xeb52e275ec8eefc1 (25) [eap] = handled (25) } # authenticate = handled (25) Using Post-Auth-Type Challenge (25) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (25) Challenge { ... } # empty sub-section is ignored (25) session-state: Saving cached attributes (25) Framed-MTU = 994 (25) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (25) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (25) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (25) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (25) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (25) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (25) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Certificate" (25) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (25) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, CertificateVerify" (25) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (25) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (25) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (25) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (25) TLS-Session-Version = "TLS 1.2" (25) Sent Access-Challenge Id 70 from 192.168.254.16:1812 to 192.168.254.20:53045 length 119 (25) EAP-Message = 0x01dc003d0d80000000331403030001011603030028a59cc7fe12d82adb0000c30c45798a75baa46d78edbf3ac47c537a3724d88ba7f5aaa21e03ccc388 (25) Message-Authenticator = 0x00000000000000000000000000000000 (25) State = 0xeb52e275ec8eefc1932f5b1261513358 (25) Finished request Waking up in 4.7 seconds. (26) Received Access-Request Id 71 from 192.168.254.20:53045 to 192.168.254.16:1812 length 254 (26) User-Name = "F6PJ500VNTH0" (26) NAS-IP-Address = 192.168.254.20 (26) NAS-Identifier = "7a455839b642" (26) Called-Station-Id = "7A-45-58-39-B6-42:arendtsen-secure" (26) NAS-Port-Type = Wireless-802.11 (26) Service-Type = Framed-User (26) Calling-Station-Id = "64-0B-D7-DE-4A-44" (26) Connect-Info = "CONNECT 0Mbps 802.11a" (26) Acct-Session-Id = "C931B4760D7AD332" (26) Acct-Multi-Session-Id = "9E8F3E49C91FA6F6" (26) WLAN-Pairwise-Cipher = 1027081 (26) WLAN-Group-Cipher = 1027081 (26) WLAN-AKM-Suite = 1027084 (26) WLAN-Group-Mgmt-Cipher = 1027084 (26) Framed-MTU = 1400 (26) EAP-Message = 0x02dc00060d00 (26) State = 0xeb52e275ec8eefc1932f5b1261513358 (26) Message-Authenticator = 0x082d2632fb8924e57cf1f118ed576b18 (26) Restoring &session-state (26) &session-state:Framed-MTU = 994 (26) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (26) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (26) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (26) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (26) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (26) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (26) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Certificate" (26) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (26) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, CertificateVerify" (26) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (26) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (26) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (26) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (26) &session-state:TLS-Session-Version = "TLS 1.2" (26) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (26) authorize { (26) policy filter_username { (26) if (&User-Name) { (26) if (&User-Name) -> TRUE (26) if (&User-Name) { (26) if (&User-Name =~ / /) { (26) if (&User-Name =~ / /) -> FALSE (26) if (&User-Name =~ /@[^@]*@/ ) { (26) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (26) if (&User-Name =~ /\.\./ ) { (26) if (&User-Name =~ /\.\./ ) -> FALSE (26) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (26) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (26) if (&User-Name =~ /\.$/) { (26) if (&User-Name =~ /\.$/) -> FALSE (26) if (&User-Name =~ /@\./) { (26) if (&User-Name =~ /@\./) -> FALSE (26) } # if (&User-Name) = notfound (26) } # policy filter_username = notfound (26) [preprocess] = ok (26) suffix: Checking for suffix after "@" (26) suffix: No '@' in User-Name = "F6PJ500VNTH0", looking up realm NULL (26) suffix: No such realm "NULL" (26) [suffix] = noop (26) eap: Peer sent EAP Response (code 2) ID 220 length 6 (26) eap: No EAP Start, assuming it's an on-going EAP conversation (26) [eap] = updated (26) [files] = noop rlm_ldap (ldap): Reserved connection (6) (26) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (26) ldap: --> (uid=F6PJ500VNTH0) (26) ldap: Performing search in "dc=users,dc=arendtsen,dc=dk" with filter "(uid=F6PJ500VNTH0)", scope "sub" (26) ldap: Waiting for search result... (26) ldap: User object found at DN "uid=F6PJ500VNTH0,ou=ipad,ou=devices,dc=users,dc=arendtsen,dc=dk" (26) ldap: EXPAND (&(objectClass=posixGroup)(|(member=%{control:LDAP-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))) (26) ldap: --> (&(objectClass=posixGroup)(|(member=uid\3dF6PJ500VNTH0\2cou\3dipad\2cou\3ddevices\2cdc\3dusers\2cdc\3darendtsen\2cdc\3ddk)(memberUid=F6PJ500VNTH0))) (26) ldap: Performing search in "dc=groups,dc=arendtsen,dc=dk" with filter "(&(objectClass=posixGroup)(|(member=uid\3dF6PJ500VNTH0\2cou\3dipad\2cou\3ddevices\2cdc\3dusers\2cdc\3darendtsen\2cdc\3ddk)(memberUid=F6PJ500VNTH0)))", scope "sub" (26) ldap: Waiting for search result... (26) ldap: Adding cacheable group object memberships (26) ldap: &control:LDAP-Group += "radius-vlan-secure" (26) ldap: Processing user attributes (26) ldap: control:Password-With-Header += 'F6PJ500VNTH0' rlm_ldap (ldap): Released connection (6) (26) [ldap] = updated (26) [expiration] = noop (26) [logintime] = noop (26) pap: No {...} in Password-With-Header, re-writing to Cleartext-Password (26) pap: Removing &control:Password-With-Header (26) pap: WARNING: Auth-Type already set. Not setting to PAP (26) [pap] = noop (26) } # authorize = updated (26) Found Auth-Type = eap (26) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (26) authenticate { (26) eap: Expiring EAP session with state 0xeb52e275ec8eefc1 (26) eap: Finished EAP session with state 0xeb52e275ec8eefc1 (26) eap: Previous EAP request found for state 0xeb52e275ec8eefc1, released from the list (26) eap: Peer sent packet with method EAP TLS (13) (26) eap: Calling submodule eap_tls to process data (26) eap_tls: (TLS) Peer ACKed our handshake fragment. handshake is finished (26) eap_tls: Validating certificate (26) Virtual server check-eap-tls-arendtsen received request (26) User-Name = "F6PJ500VNTH0" (26) NAS-IP-Address = 192.168.254.20 (26) NAS-Identifier = "7a455839b642" (26) Called-Station-Id = "7A-45-58-39-B6-42:arendtsen-secure" (26) NAS-Port-Type = Wireless-802.11 (26) Service-Type = Framed-User (26) Calling-Station-Id = "64-0B-D7-DE-4A-44" (26) Connect-Info = "CONNECT 0Mbps 802.11a" (26) Acct-Session-Id = "C931B4760D7AD332" (26) Acct-Multi-Session-Id = "9E8F3E49C91FA6F6" (26) WLAN-Pairwise-Cipher = 1027081 (26) WLAN-Group-Cipher = 1027081 (26) WLAN-AKM-Suite = 1027084 (26) WLAN-Group-Mgmt-Cipher = 1027084 (26) Framed-MTU = 1400 (26) EAP-Message = 0x02dc00060d00 (26) State = 0xeb52e275ec8eefc1932f5b1261513358 (26) Message-Authenticator = 0x082d2632fb8924e57cf1f118ed576b18 (26) Event-Timestamp = "Aug 15 2023 00:44:46 CEST" (26) EAP-Type = TLS (26) TLS-Cert-Serial := "714cce994724fbab9c091bbe8d98c700e39a3efb" (26) TLS-Cert-Expiration := "261013191708Z" (26) TLS-Cert-Valid-Since := "211011191708Z" (26) TLS-Cert-Subject := "/C=DK/O=Arendtsen/CN=Arendtsen Devices Issusing CA 20211011" (26) TLS-Cert-Issuer := "/CN=Arendtsen Root CA 20210823" (26) TLS-Cert-Common-Name := "Arendtsen Devices Issusing CA 20211011" (26) TLS-Client-Cert-Serial := "6cff7e76695b0cf259f0" (26) TLS-Client-Cert-Expiration := "240731203959Z" (26) TLS-Client-Cert-Valid-Since := "230731203959Z" (26) TLS-Client-Cert-Subject := "/DC=dk/DC=arendtsen/DC=devices/OU=ipad/CN=F6PJ500VNTH0" (26) TLS-Client-Cert-Issuer := "/C=DK/O=Arendtsen/CN=Arendtsen Devices Issusing CA 20211011" (26) TLS-Client-Cert-Common-Name := "F6PJ500VNTH0" (26) TLS-Client-Cert-X509v3-Authority-Key-Identifier += "keyid:10:1C:A7:8C:D7:17:69:61:C6:0B:F3:8F:B2:D4:7E:EC:0D:11:82:27\n" (26) TLS-Client-Cert-X509v3-Basic-Constraints += "CA:FALSE" (26) TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication" (26) TLS-Client-Cert-X509v3-Certificate-Policies += "Policy: 1.2.3.4\n CPS: http://pki.arendtsen.dk/cps.html\n CPS: http://pki.arendtsen.dk/cps.html\n User Notice:\n Explicit Text: This is a comment for policy oid 1.2.3.4\n" (26) TLS-Client-Cert-X509v3-Subject-Key-Identifier += "81:17:16:D4:F4:AC:85:99:09:6C:53:F2:B6:F5:EE:76:E0:88:45:EA" (26) TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2" (26) WARNING: Outer and inner identities are the same. User privacy is compromised. (26) server check-eap-tls-arendtsen { (26) session-state: No cached attributes (26) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/check-eap-tls-arendtsen (26) authorize { (26) if (&User-Name == &TLS-Client-Cert-Common-Name) { (26) if (&User-Name == &TLS-Client-Cert-Common-Name) -> TRUE (26) if (&User-Name == &TLS-Client-Cert-Common-Name) { (26) update config { (26) &Auth-Type := Accept (26) } # update config = noop (26) } # if (&User-Name == &TLS-Client-Cert-Common-Name) = noop (26) ... skipping else: Preceding "if" was taken rlm_ldap (ldap): Reserved connection (7) (26) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (26) ldap: --> (uid=F6PJ500VNTH0) (26) ldap: Performing search in "dc=users,dc=arendtsen,dc=dk" with filter "(uid=F6PJ500VNTH0)", scope "sub" (26) ldap: Waiting for search result... (26) ldap: User object found at DN "uid=F6PJ500VNTH0,ou=ipad,ou=devices,dc=users,dc=arendtsen,dc=dk" (26) ldap: EXPAND (&(objectClass=posixGroup)(|(member=%{control:LDAP-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))) (26) ldap: --> (&(objectClass=posixGroup)(|(member=uid\3dF6PJ500VNTH0\2cou\3dipad\2cou\3ddevices\2cdc\3dusers\2cdc\3darendtsen\2cdc\3ddk)(memberUid=F6PJ500VNTH0))) (26) ldap: Performing search in "dc=groups,dc=arendtsen,dc=dk" with filter "(&(objectClass=posixGroup)(|(member=uid\3dF6PJ500VNTH0\2cou\3dipad\2cou\3ddevices\2cdc\3dusers\2cdc\3darendtsen\2cdc\3ddk)(memberUid=F6PJ500VNTH0)))", scope "sub" (26) ldap: Waiting for search result... (26) ldap: Adding cacheable group object memberships (26) ldap: &control:LDAP-Group += "radius-vlan-secure" (26) ldap: Processing user attributes (26) ldap: control:Password-With-Header += 'F6PJ500VNTH0' rlm_ldap (ldap): Released connection (7) (26) [ldap] = updated (26) if (Ldap-Group == "radius-vlan-*") { (26) Searching for user in group "radius-vlan-*" (26) Cached membership not found (26) User is not a member of "radius-vlan-*" (26) if (Ldap-Group == "radius-vlan-*") -> FALSE (26) [files] = noop (26) auth_log: EXPAND /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (26) auth_log: --> /var/log/radacct/192.168.254.20/auth-detail-20230815 (26) auth_log: /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radacct/192.168.254.20/auth-detail-20230815 (26) auth_log: EXPAND %t (26) auth_log: --> Tue Aug 15 00:44:46 2023 (26) [auth_log] = ok (26) } # authorize = updated (26) Found Auth-Type = Accept (26) Auth-Type = Accept, accepting the user (26) } # server check-eap-tls-arendtsen (26) Virtual server sending reply (26) eap: Sending EAP Success (code 3) ID 220 length 4 (26) eap: Freeing handler (26) [eap] = ok (26) } # authenticate = ok (26) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default (26) post-auth { (26) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { (26) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE (26) update { (26) &reply::Framed-MTU += &session-state:Framed-MTU[*] -> 994 (26) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.3 Handshake, ClientHello' (26) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, ServerHello' (26) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, Certificate' (26) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, ServerKeyExchange' (26) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, CertificateRequest' (26) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, ServerHelloDone' (26) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.2 Handshake, Certificate' (26) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.2 Handshake, ClientKeyExchange' (26) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.2 Handshake, CertificateVerify' (26) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.2 Handshake, Finished' (26) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 ChangeCipherSpec' (26) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, Finished' (26) &reply::TLS-Session-Cipher-Suite += &session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES256-GCM-SHA384' (26) &reply::TLS-Session-Version += &session-state:TLS-Session-Version[*] -> 'TLS 1.2' (26) } # update = noop (26) [exec] = noop (26) policy remove_reply_message_if_eap { (26) if (&reply:EAP-Message && &reply:Reply-Message) { (26) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (26) else { (26) [noop] = noop (26) } # else = noop (26) } # policy remove_reply_message_if_eap = noop (26) if (EAP-Key-Name && &reply:EAP-Session-Id) { (26) if (EAP-Key-Name && &reply:EAP-Session-Id) -> FALSE (26) } # post-auth = noop (26) Sent Access-Accept Id 71 from 192.168.254.16:1812 to 192.168.254.20:53045 length 180 (26) MS-MPPE-Recv-Key = 0x9cb434c734b8e7d27b9494b6d8f4f47a3f8f81f92922acdb5b99bb5e4fa1f4cd (26) MS-MPPE-Send-Key = 0xc7ce3031d01013d6d972005c9162bc415e6a10eb9b189509de4241322f6bc9cf (26) EAP-Message = 0x03dc0004 (26) Message-Authenticator = 0x00000000000000000000000000000000 (26) User-Name = "F6PJ500VNTH0" (26) Framed-MTU += 994 (26) Finished request Waking up in 4.7 seconds. (18) Cleaning up request packet ID 63 with timestamp +6425 due to cleanup_delay was reached Waking up in 0.1 seconds. (19) Cleaning up request packet ID 64 with timestamp +6425 due to cleanup_delay was reached (20) Cleaning up request packet ID 65 with timestamp +6425 due to cleanup_delay was reached (21) Cleaning up request packet ID 66 with timestamp +6425 due to cleanup_delay was reached (22) Cleaning up request packet ID 67 with timestamp +6425 due to cleanup_delay was reached (23) Cleaning up request packet ID 68 with timestamp +6425 due to cleanup_delay was reached (24) Cleaning up request packet ID 69 with timestamp +6425 due to cleanup_delay was reached (25) Cleaning up request packet ID 70 with timestamp +6425 due to cleanup_delay was reached (26) Cleaning up request packet ID 71 with timestamp +6425 due to cleanup_delay was reached Ready to process requests