(0) Received Access-Request Id 0 from 192.168.254.53:58519 to 192.168.254.16:1812 length 178 (0) User-Name = "6bd4a86988324e56b2dcdcf053161a02" (0) NAS-IP-Address = 127.0.0.1 (0) Calling-Station-Id = "02-00-00-00-00-01" (0) Framed-MTU = 1400 (0) NAS-Port-Type = Wireless-802.11 (0) Service-Type = Framed-User (0) Connect-Info = "CONNECT 11Mbps 802.11b" (0) EAP-Message = 0x02920025013662643461383639383833323465353662326463646366303533313631613032 (0) Message-Authenticator = 0x8caac4df266da9b1bc455824aacdb639 (0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "6bd4a86988324e56b2dcdcf053161a02", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: Peer sent EAP Response (code 2) ID 146 length 37 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_tls to process data (0) eap_tls: (TLS) Initiating new session (0) eap_tls: (TLS) Setting verify mode to require certificate from client (0) eap: Sending EAP Request (code 1) ID 147 length 6 (0) eap: EAP session adding &reply:State = 0x714db82071deb5e1 (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (0) Challenge { ... } # empty sub-section is ignored (0) session-state: Saving cached attributes (0) Framed-MTU = 994 (0) Sent Access-Challenge Id 0 from 192.168.254.16:1812 to 192.168.254.53:58519 length 64 (0) EAP-Message = 0x019300060d20 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x714db82071deb5e1583d745a3b253418 (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 1 from 192.168.254.53:58519 to 192.168.254.16:1812 length 349 (1) User-Name = "6bd4a86988324e56b2dcdcf053161a02" (1) NAS-IP-Address = 127.0.0.1 (1) Calling-Station-Id = "02-00-00-00-00-01" (1) Framed-MTU = 1400 (1) NAS-Port-Type = Wireless-802.11 (1) Service-Type = Framed-User (1) Connect-Info = "CONNECT 11Mbps 802.11b" (1) EAP-Message = 0x029300be0d0016030100b3010000af03031d1ce050b15b043d3fdc932df1b944cd12e2b628839542bff33676f0f474da03000038c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff0100004e000b000403000102000a000c000a001d0017001e001900180016000000170000000d002a0028040305030603080708080809080a080b080408050806040105010601030303010302040205020602 (1) State = 0x714db82071deb5e1583d745a3b253418 (1) Message-Authenticator = 0xd94f785d7f2f4184a43bf965c22f2dbf (1) Restoring &session-state (1) &session-state:Framed-MTU = 994 (1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "6bd4a86988324e56b2dcdcf053161a02", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: Peer sent EAP Response (code 2) ID 147 length 190 (1) eap: No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) } # authorize = updated (1) Found Auth-Type = eap (1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0x714db82071deb5e1 (1) eap: Finished EAP session with state 0x714db82071deb5e1 (1) eap: Previous EAP request found for state 0x714db82071deb5e1, released from the list (1) eap: Peer sent packet with method EAP TLS (13) (1) eap: Calling submodule eap_tls to process data (1) eap_tls: (TLS) EAP Done initial handshake (1) eap_tls: (TLS) Handshake state - before SSL initialization (1) eap_tls: (TLS) Handshake state - Server before SSL initialization (1) eap_tls: (TLS) Handshake state - Server before SSL initialization (1) eap_tls: (TLS) recv TLS 1.3 Handshake, ClientHello (1) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read client hello (1) eap_tls: (TLS) send TLS 1.2 Handshake, ServerHello (1) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write server hello (1) eap_tls: (TLS) send TLS 1.2 Handshake, Certificate (1) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write certificate (1) eap_tls: (TLS) send TLS 1.2 Handshake, ServerKeyExchange (1) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write key exchange (1) eap_tls: (TLS) send TLS 1.2 Handshake, CertificateRequest (1) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write certificate request (1) eap_tls: (TLS) send TLS 1.2 Handshake, ServerHelloDone (1) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write server done (1) eap_tls: (TLS) Server : Need to read more data: SSLv3/TLS write server done (1) eap_tls: (TLS) In Handshake Phase (1) eap: Sending EAP Request (code 1) ID 148 length 1004 (1) eap: EAP session adding &reply:State = 0x714db82070d9b5e1 (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (1) Challenge { ... } # empty sub-section is ignored (1) session-state: Saving cached attributes (1) Framed-MTU = 994 (1) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (1) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (1) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (1) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (1) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (1) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (1) Sent Access-Challenge Id 1 from 192.168.254.16:1812 to 192.168.254.53:58519 length 1068 (1) EAP-Message = 0x019403ec0dc000000a38160303003d0200003903037103632e71249bbca366c78bcb841f244c248b22354677c15bcc3f5a3593da5000c030000011ff01000100000b0004030001020017000016030307050b0007010006fe0006fb308206f73082055fa003020102020a4fff11373021e4b7f7d0300d06092a864886f70d01010b05003052310b300906035504061302444b31123010060355040a0c094172656e647473656e312f302d06035504030c264172656e647473656e2053657276657273204973737573696e67204341203230323131303130301e170d3233303732323232313430335a170d3234303132323232313430335a306a31123010060a0992268993f22c6401191602646b31193017060a0992268993f22c64011916096172656e647473656e31123010060a0992268993f22c640119160263613125302306035504030c1c6175746830322e696e7465726e616c2e6172656e647473656e2e646b308201a2300d06092a864886f70d010101050003 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x714db82070d9b5e1583d745a3b253418 (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 2 from 192.168.254.53:58519 to 192.168.254.16:1812 length 165 (2) User-Name = "6bd4a86988324e56b2dcdcf053161a02" (2) NAS-IP-Address = 127.0.0.1 (2) Calling-Station-Id = "02-00-00-00-00-01" (2) Framed-MTU = 1400 (2) NAS-Port-Type = Wireless-802.11 (2) Service-Type = Framed-User (2) Connect-Info = "CONNECT 11Mbps 802.11b" (2) EAP-Message = 0x029400060d00 (2) State = 0x714db82070d9b5e1583d745a3b253418 (2) Message-Authenticator = 0xf5df48a0b660bdc8a243fc488750cea4 (2) Restoring &session-state (2) &session-state:Framed-MTU = 994 (2) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (2) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (2) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (2) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (2) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (2) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (2) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) suffix: Checking for suffix after "@" (2) suffix: No '@' in User-Name = "6bd4a86988324e56b2dcdcf053161a02", looking up realm NULL (2) suffix: No such realm "NULL" (2) [suffix] = noop (2) eap: Peer sent EAP Response (code 2) ID 148 length 6 (2) eap: No EAP Start, assuming it's an on-going EAP conversation (2) [eap] = updated (2) } # authorize = updated (2) Found Auth-Type = eap (2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0x714db82070d9b5e1 (2) eap: Finished EAP session with state 0x714db82070d9b5e1 (2) eap: Previous EAP request found for state 0x714db82070d9b5e1, released from the list (2) eap: Peer sent packet with method EAP TLS (13) (2) eap: Calling submodule eap_tls to process data (2) eap_tls: (TLS) Peer ACKed our handshake fragment (2) eap: Sending EAP Request (code 1) ID 149 length 1004 (2) eap: EAP session adding &reply:State = 0x714db82073d8b5e1 (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (2) Challenge { ... } # empty sub-section is ignored (2) session-state: Saving cached attributes (2) Framed-MTU = 994 (2) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (2) Sent Access-Challenge Id 2 from 192.168.254.16:1812 to 192.168.254.53:58519 length 1068 (2) EAP-Message = 0x019503ec0dc000000a382f706b692e6172656e647473656e2e646b2f646f776e6c6f61642f4172656e647473656e5f536572766572735f4973737573696e675f43415f32303231313031302e63726c30130603551d25040c300a06082b06010505070301300e0603551d0f0101ff0404030203a83081aa0603551d200481a230819f30819c06032a0304308194302c06082b060105050702011620687474703a2f2f706b692e6172656e647473656e2e646b2f6370732e68746d6c302c06082b060105050702011620687474703a2f2f706b692e6172656e647473656e2e646b2f6370732e68746d6c303606082b06010505070202302a1a2854686973206973206120636f6d6d656e7420666f7220706f6c696379206f696420312e322e332e3430819d0603551d11048195308192821a617574682e696e7465726e616c2e6172656e647473656e2e646b821c6175746830322e696e7465726e616c2e6172656e647473656e2e646b821c6c64617030322e696e746572 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0x714db82073d8b5e1583d745a3b253418 (2) Finished request Waking up in 4.9 seconds. (3) Received Access-Request Id 3 from 192.168.254.53:58519 to 192.168.254.16:1812 length 165 (3) User-Name = "6bd4a86988324e56b2dcdcf053161a02" (3) NAS-IP-Address = 127.0.0.1 (3) Calling-Station-Id = "02-00-00-00-00-01" (3) Framed-MTU = 1400 (3) NAS-Port-Type = Wireless-802.11 (3) Service-Type = Framed-User (3) Connect-Info = "CONNECT 11Mbps 802.11b" (3) EAP-Message = 0x029500060d00 (3) State = 0x714db82073d8b5e1583d745a3b253418 (3) Message-Authenticator = 0x3fddab1b30b37e9352de5897da26d054 (3) Restoring &session-state (3) &session-state:Framed-MTU = 994 (3) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (3) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (3) authorize { (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = notfound (3) } # policy filter_username = notfound (3) [preprocess] = ok (3) suffix: Checking for suffix after "@" (3) suffix: No '@' in User-Name = "6bd4a86988324e56b2dcdcf053161a02", looking up realm NULL (3) suffix: No such realm "NULL" (3) [suffix] = noop (3) eap: Peer sent EAP Response (code 2) ID 149 length 6 (3) eap: No EAP Start, assuming it's an on-going EAP conversation (3) [eap] = updated (3) } # authorize = updated (3) Found Auth-Type = eap (3) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (3) authenticate { (3) eap: Expiring EAP session with state 0x714db82073d8b5e1 (3) eap: Finished EAP session with state 0x714db82073d8b5e1 (3) eap: Previous EAP request found for state 0x714db82073d8b5e1, released from the list (3) eap: Peer sent packet with method EAP TLS (13) (3) eap: Calling submodule eap_tls to process data (3) eap_tls: (TLS) Peer ACKed our handshake fragment (3) eap: Sending EAP Request (code 1) ID 150 length 638 (3) eap: EAP session adding &reply:State = 0x714db82072dbb5e1 (3) [eap] = handled (3) } # authenticate = handled (3) Using Post-Auth-Type Challenge (3) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (3) Challenge { ... } # empty sub-section is ignored (3) session-state: Saving cached attributes (3) Framed-MTU = 994 (3) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (3) Sent Access-Challenge Id 3 from 192.168.254.16:1812 to 192.168.254.53:58519 length 700 (3) EAP-Message = 0x0196027e0d8000000a38fba213fd6a6cc3c1133cdfc746d1e76f227755c9f9b78463494a4feaa86a502c59a709243aec8a976ca0cccc2722a38e86ed2a0f98afaf10af10b7aed80bf60b5c07ee90ad4928292a482701547fc7502c5b2709c610ff04ee34bfc5908f9bc74f86ed612effd71a8c9b947c85ec672b0593a2ea317fececa73731d739afcd98816c37a62224c697858c0690035c17eff5ab2b30217c377872a49a70842bb03aeb57b15322555dff227bcf713fe6fa33703e02d72ab07ac202d279494c8a908be899c866773a36fe54d89f902a06cd0157a73d300d097d00f78b6bb184cfb05769cf5adf011c382fb68b0a28c700299bcf18dbf9b11736ba605bdef7b97ed0924fd2ad7ffddfbde67c5efea3747986ab5c5b5a5727bb3d07bde7cac9e65287260090dffdfbe2dfe275158175192af4b7b5864203e1ec9dd2ef6388bb018f4c7a8b8dec12f621965566022c5b3433aaa80639f2b39019e55d0088160303010c0d00010803010240002e04030503 (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0x714db82072dbb5e1583d745a3b253418 (3) Finished request Waking up in 4.9 seconds. (4) Received Access-Request Id 4 from 192.168.254.53:58519 to 192.168.254.16:1812 length 1577 (4) User-Name = "6bd4a86988324e56b2dcdcf053161a02" (4) NAS-IP-Address = 127.0.0.1 (4) Calling-Station-Id = "02-00-00-00-00-01" (4) Framed-MTU = 1400 (4) NAS-Port-Type = Wireless-802.11 (4) Service-Type = Framed-User (4) Connect-Info = "CONNECT 11Mbps 802.11b" (4) EAP-Message = 0x029605800dc00000089116030306810b00067d00067a00067730820673308204dba003020102020a72ff95dcf40cd6883c85300d06092a864886f70d01010b05003052310b300906035504061302444b31123010060355040a0c094172656e647473656e312f302d06035504030c264172656e647473656e2044657669636573204973737573696e67204341203230323131303131301e170d3233303831363231313935305a170d3234303831363231313935305a30818531123010060a0992268993f22c6401191602646b31193017060a0992268993f22c64011916096172656e647473656e31173015060a0992268993f22c6401191607646576696365733110300e060355040b0c07646576696365733129302706035504030c203662643461383639383833323465353662326463646366303533313631613032308201a2300d06092a864886f70d01010105000382018f003082018a02820181009e1b1c7a2c83bb361794d38eb309c077f5256f55aa561a1345 (4) State = 0x714db82072dbb5e1583d745a3b253418 (4) Message-Authenticator = 0x1efe45f44e13e5875bd3953a2ffdd34e (4) Restoring &session-state (4) &session-state:Framed-MTU = 994 (4) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (4) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (4) authorize { (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = notfound (4) } # policy filter_username = notfound (4) [preprocess] = ok (4) suffix: Checking for suffix after "@" (4) suffix: No '@' in User-Name = "6bd4a86988324e56b2dcdcf053161a02", looking up realm NULL (4) suffix: No such realm "NULL" (4) [suffix] = noop (4) eap: Peer sent EAP Response (code 2) ID 150 length 1408 (4) eap: No EAP Start, assuming it's an on-going EAP conversation (4) [eap] = updated (4) } # authorize = updated (4) Found Auth-Type = eap (4) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (4) authenticate { (4) eap: Expiring EAP session with state 0x714db82072dbb5e1 (4) eap: Finished EAP session with state 0x714db82072dbb5e1 (4) eap: Previous EAP request found for state 0x714db82072dbb5e1, released from the list (4) eap: Peer sent packet with method EAP TLS (13) (4) eap: Calling submodule eap_tls to process data (4) eap_tls: (TLS) EAP Peer says that the final record size will be 2193 bytes (4) eap_tls: (TLS) EAP Expecting 2 fragments (4) eap_tls: (TLS) EAP Got first TLS fragment (1398 bytes). Peer says more fragments will follow (4) eap_tls: (TLS) EAP ACKing fragment, the peer should send more data. (4) eap: Sending EAP Request (code 1) ID 151 length 6 (4) eap: EAP session adding &reply:State = 0x714db82075dab5e1 (4) [eap] = handled (4) } # authenticate = handled (4) Using Post-Auth-Type Challenge (4) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (4) Challenge { ... } # empty sub-section is ignored (4) session-state: Saving cached attributes (4) Framed-MTU = 994 (4) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (4) Sent Access-Challenge Id 4 from 192.168.254.16:1812 to 192.168.254.53:58519 length 64 (4) EAP-Message = 0x019700060d00 (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0x714db82075dab5e1583d745a3b253418 (4) Finished request Waking up in 4.9 seconds. (5) Received Access-Request Id 5 from 192.168.254.53:58519 to 192.168.254.16:1812 length 966 (5) User-Name = "6bd4a86988324e56b2dcdcf053161a02" (5) NAS-IP-Address = 127.0.0.1 (5) Calling-Station-Id = "02-00-00-00-00-01" (5) Framed-MTU = 1400 (5) NAS-Port-Type = Wireless-802.11 (5) Service-Type = Framed-User (5) Connect-Info = "CONNECT 11Mbps 802.11b" (5) EAP-Message = 0x029703210d003ea1521a3018bec75974a6ae20db06b532b86f4e442a0452f8e8db48c45c9be8695bcfb42efde7716bb21f5a51bd15e7169215bac190d861a3f12d837e678015338cdcaf2ea5b80956e3282a765a2c6142d3168a0255cd99e910c791153b094f13252c4f6717914ea1df8635b4dff034a7e1a3ca044cb6d98b0a7ad116dd9d9f15ee4f45e5c0bc999d8a992623118449f29511da7fee4f578c070c32198f5792de4809cd4ad281b3ec503f5d12fc517b7ad1a6c230b93c4e981c7a5e24a58b74ccdc0d57fc9ee8535d61352a9eefb7ac93e5434250daa8415266af1cad38884cb2168c0d51f9c1acaa5aab989650fcf577a590e1323acc516a7115fbf3067f1a0613d2b7119df3cb41693e51b1a1ea071603030046100000424104aeae8d225ec56744f4d551d14206beb7fa30ecfa7e60ef867764aa73c66960b40cc730d495b5c2eb7ac17d0aa0ea859b82e1b55b358acd08ba1ccffc45d5e58d16030301880f0001840804018069657fabac20b20fd3 (5) State = 0x714db82075dab5e1583d745a3b253418 (5) Message-Authenticator = 0xadb31f3228ef8dcb1f2f19f2293961eb (5) Restoring &session-state (5) &session-state:Framed-MTU = 994 (5) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (5) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) [preprocess] = ok (5) suffix: Checking for suffix after "@" (5) suffix: No '@' in User-Name = "6bd4a86988324e56b2dcdcf053161a02", looking up realm NULL (5) suffix: No such realm "NULL" (5) [suffix] = noop (5) eap: Peer sent EAP Response (code 2) ID 151 length 801 (5) eap: No EAP Start, assuming it's an on-going EAP conversation (5) [eap] = updated (5) } # authorize = updated (5) Found Auth-Type = eap (5) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (5) authenticate { (5) eap: Expiring EAP session with state 0x714db82075dab5e1 (5) eap: Finished EAP session with state 0x714db82075dab5e1 (5) eap: Previous EAP request found for state 0x714db82075dab5e1, released from the list (5) eap: Peer sent packet with method EAP TLS (13) (5) eap: Calling submodule eap_tls to process data (5) eap_tls: (TLS) EAP Got final fragment (795 bytes) (5) eap_tls: (TLS) EAP Done initial handshake (5) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write server done (5) eap_tls: (TLS) recv TLS 1.2 Handshake, Certificate (5) eap_tls: (TLS) Creating attributes from server certificate (5) eap_tls: TLS-Cert-Serial := "714cce994724fbab9c091bbe8d98c700e39a3efb" (5) eap_tls: TLS-Cert-Expiration := "261013191708Z" (5) eap_tls: TLS-Cert-Valid-Since := "211011191708Z" (5) eap_tls: TLS-Cert-Subject := "/C=DK/O=Arendtsen/CN=Arendtsen Devices Issusing CA 20211011" (5) eap_tls: TLS-Cert-Issuer := "/CN=Arendtsen Root CA 20210823" (5) eap_tls: TLS-Cert-Common-Name := "Arendtsen Devices Issusing CA 20211011" (5) eap_tls: (TLS) Creating attributes from client certificate (5) eap_tls: TLS-Client-Cert-Serial := "72ff95dcf40cd6883c85" (5) eap_tls: TLS-Client-Cert-Expiration := "240816211950Z" (5) eap_tls: TLS-Client-Cert-Valid-Since := "230816211950Z" (5) eap_tls: TLS-Client-Cert-Subject := "/DC=dk/DC=arendtsen/DC=devices/OU=devices/CN=6bd4a86988324e56b2dcdcf053161a02" (5) eap_tls: TLS-Client-Cert-Issuer := "/C=DK/O=Arendtsen/CN=Arendtsen Devices Issusing CA 20211011" (5) eap_tls: TLS-Client-Cert-Common-Name := "6bd4a86988324e56b2dcdcf053161a02" (5) eap_tls: TLS-Client-Cert-X509v3-Authority-Key-Identifier += "keyid:10:1C:A7:8C:D7:17:69:61:C6:0B:F3:8F:B2:D4:7E:EC:0D:11:82:27\n" (5) eap_tls: TLS-Client-Cert-X509v3-Basic-Constraints += "CA:FALSE" (5) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication" (5) eap_tls: TLS-Client-Cert-X509v3-Certificate-Policies += "Policy: 1.2.3.4\n CPS: http://pki.arendtsen.dk/cps.html\n CPS: http://pki.arendtsen.dk/cps.html\n User Notice:\n Explicit Text: This is a comment for policy oid 1.2.3.4\n" (5) eap_tls: TLS-Client-Cert-X509v3-Subject-Key-Identifier += "AE:82:62:6F:EA:A4:FF:BE:D0:36:FE:AD:C8:6C:4C:AE:4A:D1:E6:CE" (5) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2" Certificate chain - 1 cert(s) untrusted (TLS) untrusted certificate with depth [0] subject name /DC=dk/DC=arendtsen/DC=devices/OU=devices/CN=6bd4a86988324e56b2dcdcf053161a02 (5) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read client certificate (5) eap_tls: (TLS) recv TLS 1.2 Handshake, ClientKeyExchange (5) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read client key exchange (5) eap_tls: (TLS) recv TLS 1.2 Handshake, CertificateVerify (5) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read certificate verify (5) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read change cipher spec (5) eap_tls: (TLS) recv TLS 1.2 Handshake, Finished (5) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read finished (5) eap_tls: (TLS) send TLS 1.2 ChangeCipherSpec (5) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write change cipher spec (5) eap_tls: (TLS) send TLS 1.2 Handshake, Finished (5) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write finished (5) eap_tls: (TLS) Handshake state - SSL negotiation finished successfully (5) eap_tls: (TLS) Connection Established (5) eap_tls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (5) eap_tls: TLS-Session-Version = "TLS 1.2" (5) eap: Sending EAP Request (code 1) ID 152 length 61 (5) eap: EAP session adding &reply:State = 0x714db82074d5b5e1 (5) [eap] = handled (5) } # authenticate = handled (5) Using Post-Auth-Type Challenge (5) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (5) Challenge { ... } # empty sub-section is ignored (5) session-state: Saving cached attributes (5) Framed-MTU = 994 (5) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (5) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Certificate" (5) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (5) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, CertificateVerify" (5) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (5) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (5) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (5) TLS-Session-Version = "TLS 1.2" (5) Sent Access-Challenge Id 5 from 192.168.254.16:1812 to 192.168.254.53:58519 length 119 (5) EAP-Message = 0x0198003d0d80000000331403030001011603030028f861fe0b34146dfcaf5aaaec0a5272a5f9df177450e4b52046238bcbbaae0cc7ad157199059d8872 (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0x714db82074d5b5e1583d745a3b253418 (5) Finished request Waking up in 4.9 seconds. (6) Received Access-Request Id 6 from 192.168.254.53:58519 to 192.168.254.16:1812 length 165 (6) User-Name = "6bd4a86988324e56b2dcdcf053161a02" (6) NAS-IP-Address = 127.0.0.1 (6) Calling-Station-Id = "02-00-00-00-00-01" (6) Framed-MTU = 1400 (6) NAS-Port-Type = Wireless-802.11 (6) Service-Type = Framed-User (6) Connect-Info = "CONNECT 11Mbps 802.11b" (6) EAP-Message = 0x029800060d00 (6) State = 0x714db82074d5b5e1583d745a3b253418 (6) Message-Authenticator = 0x05fb65cb6264ce5c9a215eb25dde9f09 (6) Restoring &session-state (6) &session-state:Framed-MTU = 994 (6) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (6) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Certificate" (6) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (6) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, CertificateVerify" (6) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (6) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (6) &session-state:TLS-Session-Version = "TLS 1.2" (6) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) [preprocess] = ok (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "6bd4a86988324e56b2dcdcf053161a02", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) eap: Peer sent EAP Response (code 2) ID 152 length 6 (6) eap: No EAP Start, assuming it's an on-going EAP conversation (6) [eap] = updated (6) } # authorize = updated (6) Found Auth-Type = eap (6) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (6) authenticate { (6) eap: Expiring EAP session with state 0x714db82074d5b5e1 (6) eap: Finished EAP session with state 0x714db82074d5b5e1 (6) eap: Previous EAP request found for state 0x714db82074d5b5e1, released from the list (6) eap: Peer sent packet with method EAP TLS (13) (6) eap: Calling submodule eap_tls to process data (6) eap_tls: (TLS) Peer ACKed our handshake fragment. handshake is finished (6) eap_tls: Validating certificate (6) Virtual server check-eap-tls-arendtsen received request (6) User-Name = "6bd4a86988324e56b2dcdcf053161a02" (6) NAS-IP-Address = 127.0.0.1 (6) Calling-Station-Id = "02-00-00-00-00-01" (6) Framed-MTU = 1400 (6) NAS-Port-Type = Wireless-802.11 (6) Service-Type = Framed-User (6) Connect-Info = "CONNECT 11Mbps 802.11b" (6) EAP-Message = 0x029800060d00 (6) State = 0x714db82074d5b5e1583d745a3b253418 (6) Message-Authenticator = 0x05fb65cb6264ce5c9a215eb25dde9f09 (6) Event-Timestamp = "Aug 18 2023 15:41:21 CEST" (6) EAP-Type = TLS (6) TLS-Cert-Serial := "714cce994724fbab9c091bbe8d98c700e39a3efb" (6) TLS-Cert-Expiration := "261013191708Z" (6) TLS-Cert-Valid-Since := "211011191708Z" (6) TLS-Cert-Subject := "/C=DK/O=Arendtsen/CN=Arendtsen Devices Issusing CA 20211011" (6) TLS-Cert-Issuer := "/CN=Arendtsen Root CA 20210823" (6) TLS-Cert-Common-Name := "Arendtsen Devices Issusing CA 20211011" (6) TLS-Client-Cert-Serial := "72ff95dcf40cd6883c85" (6) TLS-Client-Cert-Expiration := "240816211950Z" (6) TLS-Client-Cert-Valid-Since := "230816211950Z" (6) TLS-Client-Cert-Subject := "/DC=dk/DC=arendtsen/DC=devices/OU=devices/CN=6bd4a86988324e56b2dcdcf053161a02" (6) TLS-Client-Cert-Issuer := "/C=DK/O=Arendtsen/CN=Arendtsen Devices Issusing CA 20211011" (6) TLS-Client-Cert-Common-Name := "6bd4a86988324e56b2dcdcf053161a02" (6) TLS-Client-Cert-X509v3-Authority-Key-Identifier += "keyid:10:1C:A7:8C:D7:17:69:61:C6:0B:F3:8F:B2:D4:7E:EC:0D:11:82:27\n" (6) TLS-Client-Cert-X509v3-Basic-Constraints += "CA:FALSE" (6) TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication" (6) TLS-Client-Cert-X509v3-Certificate-Policies += "Policy: 1.2.3.4\n CPS: http://pki.arendtsen.dk/cps.html\n CPS: http://pki.arendtsen.dk/cps.html\n User Notice:\n Explicit Text: This is a comment for policy oid 1.2.3.4\n" (6) TLS-Client-Cert-X509v3-Subject-Key-Identifier += "AE:82:62:6F:EA:A4:FF:BE:D0:36:FE:AD:C8:6C:4C:AE:4A:D1:E6:CE" (6) TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2" (6) WARNING: Outer and inner identities are the same. User privacy is compromised. (6) server check-eap-tls-arendtsen { (6) session-state: No cached attributes (6) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/check-eap-tls-arendtsen (6) authorize { (6) if (&User-Name == &TLS-Client-Cert-Common-Name) { (6) if (&User-Name == &TLS-Client-Cert-Common-Name) -> TRUE (6) if (&User-Name == &TLS-Client-Cert-Common-Name) { (6) update config { (6) &Auth-Type := Accept (6) } # update config = noop (6) } # if (&User-Name == &TLS-Client-Cert-Common-Name) = noop (6) ... skipping else: Preceding "if" was taken rlm_ldap (ldap): Reserved connection (0) (6) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (6) ldap: --> (uid=6bd4a86988324e56b2dcdcf053161a02) (6) ldap: Performing search in "dc=users,dc=arendtsen,dc=dk" with filter "(uid=6bd4a86988324e56b2dcdcf053161a02)", scope "sub" (6) ldap: Waiting for search result... (6) ldap: User object found at DN "uid=6bd4a86988324e56b2dcdcf053161a02,ou=computers,ou=devices,dc=users,dc=arendtsen,dc=dk" (6) ldap: EXPAND (&(objectClass=posixGroup)(|(member=%{control:LDAP-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))) (6) ldap: --> (&(objectClass=posixGroup)(|(member=uid\3d6bd4a86988324e56b2dcdcf053161a02\2cou\3dcomputers\2cou\3ddevices\2cdc\3dusers\2cdc\3darendtsen\2cdc\3ddk)(memberUid=6bd4a86988324e56b2dcdcf053161a02))) (6) ldap: Performing search in "dc=groups,dc=arendtsen,dc=dk" with filter "(&(objectClass=posixGroup)(|(member=uid\3d6bd4a86988324e56b2dcdcf053161a02\2cou\3dcomputers\2cou\3ddevices\2cdc\3dusers\2cdc\3darendtsen\2cdc\3ddk)(memberUid=6bd4a86988324e56b2dcdcf053161a02)))", scope "sub" (6) ldap: Waiting for search result... (6) ldap: Search returned no results (6) ldap: No cacheable group memberships found in group objects (6) ldap: Processing user attributes (6) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute (6) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure) rlm_ldap (ldap): Released connection (0) rlm_ldap (ldap): Closing expired connection (4) - Hit idle_timeout limit rlm_ldap (ldap): Closing expired connection (3) - Hit idle_timeout limit rlm_ldap (ldap): Closing expired connection (2) - Hit idle_timeout limit rlm_ldap (ldap): Closing expired connection (1) - Hit idle_timeout limit (6) [ldap] = ok (6) if (Ldap-Group == "radius-vlan-*") { (6) Searching for user in group "radius-vlan-*" rlm_ldap (ldap): Reserved connection (0) (6) Using user DN from request "uid=6bd4a86988324e56b2dcdcf053161a02,ou=computers,ou=devices,dc=users,dc=arendtsen,dc=dk" (6) Checking for user in group objects (6) EXPAND (&(cn=radius-vlan-*)(objectClass=posixGroup)(|(member=%{control:LDAP-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))) (6) --> (&(cn=radius-vlan-*)(objectClass=posixGroup)(|(member=uid\3d6bd4a86988324e56b2dcdcf053161a02\2cou\3dcomputers\2cou\3ddevices\2cdc\3dusers\2cdc\3darendtsen\2cdc\3ddk)(memberUid=6bd4a86988324e56b2dcdcf053161a02))) (6) Performing search in "dc=groups,dc=arendtsen,dc=dk" with filter "(&(cn=radius-vlan-*)(objectClass=posixGroup)(|(member=uid\3d6bd4a86988324e56b2dcdcf053161a02\2cou\3dcomputers\2cou\3ddevices\2cdc\3dusers\2cdc\3darendtsen\2cdc\3ddk)(memberUid=6bd4a86988324e56b2dcdcf053161a02)))", scope "sub" (6) Waiting for search result... (6) Search returned no results rlm_ldap (ldap): Released connection (0) (6) User is not a member of "radius-vlan-*" (6) if (Ldap-Group == "radius-vlan-*") -> FALSE (6) [files] = noop (6) auth_log: EXPAND /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (6) auth_log: --> /var/log/radacct/192.168.254.53/auth-detail-20230818 (6) auth_log: /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radacct/192.168.254.53/auth-detail-20230818 (6) auth_log: EXPAND %t (6) auth_log: --> Fri Aug 18 15:41:21 2023 (6) [auth_log] = ok (6) } # authorize = ok (6) Found Auth-Type = Accept (6) Auth-Type = Accept, accepting the user (6) } # server check-eap-tls-arendtsen (6) Virtual server sending reply (6) eap: Sending EAP Success (code 3) ID 152 length 4 (6) eap: Freeing handler (6) [eap] = ok (6) } # authenticate = ok (6) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default (6) post-auth { (6) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { (6) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE (6) update { (6) &reply::Framed-MTU += &session-state:Framed-MTU[*] -> 994 (6) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.3 Handshake, ClientHello' (6) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, ServerHello' (6) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, Certificate' (6) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, ServerKeyExchange' (6) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, CertificateRequest' (6) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, ServerHelloDone' (6) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.2 Handshake, Certificate' (6) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.2 Handshake, ClientKeyExchange' (6) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.2 Handshake, CertificateVerify' (6) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.2 Handshake, Finished' (6) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 ChangeCipherSpec' (6) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, Finished' (6) &reply::TLS-Session-Cipher-Suite += &session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES256-GCM-SHA384' (6) &reply::TLS-Session-Version += &session-state:TLS-Session-Version[*] -> 'TLS 1.2' (6) } # update = noop (6) [exec] = noop (6) policy remove_reply_message_if_eap { (6) if (&reply:EAP-Message && &reply:Reply-Message) { (6) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (6) else { (6) [noop] = noop (6) } # else = noop (6) } # policy remove_reply_message_if_eap = noop (6) if (EAP-Key-Name && &reply:EAP-Session-Id) { (6) if (EAP-Key-Name && &reply:EAP-Session-Id) -> FALSE (6) } # post-auth = noop (6) Sent Access-Accept Id 6 from 192.168.254.16:1812 to 192.168.254.53:58519 length 200 (6) MS-MPPE-Recv-Key = 0xa2468d726d04c7e75da0a513ab198664214cba35513f0d73d7c4ad129829893e (6) MS-MPPE-Send-Key = 0x546af68987bf3d4ef8337f74d08446b12cbca4ced61837e5a9b39707f77a48f1 (6) EAP-Message = 0x03980004 (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) User-Name = "6bd4a86988324e56b2dcdcf053161a02" (6) Framed-MTU += 994 (6) Finished request Waking up in 4.9 seconds. (0) Cleaning up request packet ID 0 with timestamp +605 due to cleanup_delay was reached (1) Cleaning up request packet ID 1 with timestamp +605 due to cleanup_delay was reached (2) Cleaning up request packet ID 2 with timestamp +605 due to cleanup_delay was reached (3) Cleaning up request packet ID 3 with timestamp +605 due to cleanup_delay was reached (4) Cleaning up request packet ID 4 with timestamp +605 due to cleanup_delay was reached (5) Cleaning up request packet ID 5 with timestamp +605 due to cleanup_delay was reached (6) Cleaning up request packet ID 6 with timestamp +605 due to cleanup_delay was reached Ready to process requests