(0) Received Access-Request Id 0 from 192.168.254.54:62613 to 192.168.254.16:1812 length 181 (0) User-Name = "6bd4a86988324e56b2dcdcf053161a02" (0) EAP-Key-Name = 0x00 (0) NAS-IP-Address = 127.0.0.1 (0) Calling-Station-Id = "02-00-00-00-00-01" (0) Framed-MTU = 1400 (0) NAS-Port-Type = Wireless-802.11 (0) Service-Type = Framed-User (0) Connect-Info = "CONNECT 11Mbps 802.11b" (0) EAP-Message = 0x02140025013662643461383639383833323465353662326463646366303533313631613032 (0) Message-Authenticator = 0x243d671419b07b069f8a8997bf64bbf7 (0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "6bd4a86988324e56b2dcdcf053161a02", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: Peer sent EAP Response (code 2) ID 20 length 37 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_tls to process data (0) eap_tls: (TLS) Initiating new session (0) eap_tls: (TLS) Setting verify mode to require certificate from client (0) eap: Sending EAP Request (code 1) ID 21 length 6 (0) eap: EAP session adding &reply:State = 0x14fba4be14eea9e8 (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (0) Challenge { ... } # empty sub-section is ignored (0) session-state: Saving cached attributes (0) Framed-MTU = 994 (0) Sent Access-Challenge Id 0 from 192.168.254.16:1812 to 192.168.254.54:62613 length 64 (0) EAP-Message = 0x011500060d20 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x14fba4be14eea9e8a4487bf82773588b (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 1 from 192.168.254.54:62613 to 192.168.254.16:1812 length 352 (1) User-Name = "6bd4a86988324e56b2dcdcf053161a02" (1) EAP-Key-Name = 0x00 (1) NAS-IP-Address = 127.0.0.1 (1) Calling-Station-Id = "02-00-00-00-00-01" (1) Framed-MTU = 1400 (1) NAS-Port-Type = Wireless-802.11 (1) Service-Type = Framed-User (1) Connect-Info = "CONNECT 11Mbps 802.11b" (1) EAP-Message = 0x021500be0d0016030100b3010000af0303c2ebfd63e900841e023156f44d79f8e808024f49764561d3542fe0f7afc1f07f000038c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff0100004e000b000403000102000a000c000a001d0017001e001900180016000000170000000d002a0028040305030603080708080809080a080b080408050806040105010601030303010302040205020602 (1) State = 0x14fba4be14eea9e8a4487bf82773588b (1) Message-Authenticator = 0xa0052c961fba7058706110644824dec9 (1) Restoring &session-state (1) &session-state:Framed-MTU = 994 (1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "6bd4a86988324e56b2dcdcf053161a02", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: Peer sent EAP Response (code 2) ID 21 length 190 (1) eap: No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) } # authorize = updated (1) Found Auth-Type = eap (1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0x14fba4be14eea9e8 (1) eap: Finished EAP session with state 0x14fba4be14eea9e8 (1) eap: Previous EAP request found for state 0x14fba4be14eea9e8, released from the list (1) eap: Peer sent packet with method EAP TLS (13) (1) eap: Calling submodule eap_tls to process data (1) eap_tls: (TLS) EAP Done initial handshake (1) eap_tls: (TLS) Handshake state - before SSL initialization (1) eap_tls: (TLS) Handshake state - Server before SSL initialization (1) eap_tls: (TLS) Handshake state - Server before SSL initialization (1) eap_tls: (TLS) recv TLS 1.3 Handshake, ClientHello (1) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read client hello (1) eap_tls: (TLS) send TLS 1.2 Handshake, ServerHello (1) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write server hello (1) eap_tls: (TLS) send TLS 1.2 Handshake, Certificate (1) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write certificate (1) eap_tls: (TLS) send TLS 1.2 Handshake, ServerKeyExchange (1) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write key exchange (1) eap_tls: (TLS) send TLS 1.2 Handshake, CertificateRequest (1) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write certificate request (1) eap_tls: (TLS) send TLS 1.2 Handshake, ServerHelloDone (1) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write server done (1) eap_tls: (TLS) Server : Need to read more data: SSLv3/TLS write server done (1) eap_tls: (TLS) In Handshake Phase (1) eap: Sending EAP Request (code 1) ID 22 length 1004 (1) eap: EAP session adding &reply:State = 0x14fba4be15eda9e8 (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (1) Challenge { ... } # empty sub-section is ignored (1) session-state: Saving cached attributes (1) Framed-MTU = 994 (1) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (1) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (1) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (1) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (1) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (1) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (1) Sent Access-Challenge Id 1 from 192.168.254.16:1812 to 192.168.254.54:62613 length 1068 (1) EAP-Message = 0x011603ec0dc000000a38160303003d020000390303adc120f95a74ceb3f8b403d0a283ba46d823126aced0af9787b4232a33cd707800c030000011ff01000100000b0004030001020017000016030307050b0007010006fe0006fb308206f73082055fa003020102020a4fff11373021e4b7f7d0300d06092a864886f70d01010b05003052310b300906035504061302444b31123010060355040a0c094172656e647473656e312f302d06035504030c264172656e647473656e2053657276657273204973737573696e67204341203230323131303130301e170d3233303732323232313430335a170d3234303132323232313430335a306a31123010060a0992268993f22c6401191602646b31193017060a0992268993f22c64011916096172656e647473656e31123010060a0992268993f22c640119160263613125302306035504030c1c6175746830322e696e7465726e616c2e6172656e647473656e2e646b308201a2300d06092a864886f70d010101050003 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x14fba4be15eda9e8a4487bf82773588b (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 2 from 192.168.254.54:62613 to 192.168.254.16:1812 length 168 (2) User-Name = "6bd4a86988324e56b2dcdcf053161a02" (2) EAP-Key-Name = 0x00 (2) NAS-IP-Address = 127.0.0.1 (2) Calling-Station-Id = "02-00-00-00-00-01" (2) Framed-MTU = 1400 (2) NAS-Port-Type = Wireless-802.11 (2) Service-Type = Framed-User (2) Connect-Info = "CONNECT 11Mbps 802.11b" (2) EAP-Message = 0x021600060d00 (2) State = 0x14fba4be15eda9e8a4487bf82773588b (2) Message-Authenticator = 0xf991e435f200a3988a1963d4d6922f08 (2) Restoring &session-state (2) &session-state:Framed-MTU = 994 (2) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (2) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (2) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (2) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (2) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (2) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (2) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) suffix: Checking for suffix after "@" (2) suffix: No '@' in User-Name = "6bd4a86988324e56b2dcdcf053161a02", looking up realm NULL (2) suffix: No such realm "NULL" (2) [suffix] = noop (2) eap: Peer sent EAP Response (code 2) ID 22 length 6 (2) eap: No EAP Start, assuming it's an on-going EAP conversation (2) [eap] = updated (2) } # authorize = updated (2) Found Auth-Type = eap (2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0x14fba4be15eda9e8 (2) eap: Finished EAP session with state 0x14fba4be15eda9e8 (2) eap: Previous EAP request found for state 0x14fba4be15eda9e8, released from the list (2) eap: Peer sent packet with method EAP TLS (13) (2) eap: Calling submodule eap_tls to process data (2) eap_tls: (TLS) Peer ACKed our handshake fragment (2) eap: Sending EAP Request (code 1) ID 23 length 1004 (2) eap: EAP session adding &reply:State = 0x14fba4be16eca9e8 (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (2) Challenge { ... } # empty sub-section is ignored (2) session-state: Saving cached attributes (2) Framed-MTU = 994 (2) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (2) Sent Access-Challenge Id 2 from 192.168.254.16:1812 to 192.168.254.54:62613 length 1068 (2) EAP-Message = 0x011703ec0dc000000a382f706b692e6172656e647473656e2e646b2f646f776e6c6f61642f4172656e647473656e5f536572766572735f4973737573696e675f43415f32303231313031302e63726c30130603551d25040c300a06082b06010505070301300e0603551d0f0101ff0404030203a83081aa0603551d200481a230819f30819c06032a0304308194302c06082b060105050702011620687474703a2f2f706b692e6172656e647473656e2e646b2f6370732e68746d6c302c06082b060105050702011620687474703a2f2f706b692e6172656e647473656e2e646b2f6370732e68746d6c303606082b06010505070202302a1a2854686973206973206120636f6d6d656e7420666f7220706f6c696379206f696420312e322e332e3430819d0603551d11048195308192821a617574682e696e7465726e616c2e6172656e647473656e2e646b821c6175746830322e696e7465726e616c2e6172656e647473656e2e646b821c6c64617030322e696e746572 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0x14fba4be16eca9e8a4487bf82773588b (2) Finished request Waking up in 4.9 seconds. (3) Received Access-Request Id 3 from 192.168.254.54:62613 to 192.168.254.16:1812 length 168 (3) User-Name = "6bd4a86988324e56b2dcdcf053161a02" (3) EAP-Key-Name = 0x00 (3) NAS-IP-Address = 127.0.0.1 (3) Calling-Station-Id = "02-00-00-00-00-01" (3) Framed-MTU = 1400 (3) NAS-Port-Type = Wireless-802.11 (3) Service-Type = Framed-User (3) Connect-Info = "CONNECT 11Mbps 802.11b" (3) EAP-Message = 0x021700060d00 (3) State = 0x14fba4be16eca9e8a4487bf82773588b (3) Message-Authenticator = 0x9871f19b4de434a1e2288aed7e98502a (3) Restoring &session-state (3) &session-state:Framed-MTU = 994 (3) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (3) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (3) authorize { (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = notfound (3) } # policy filter_username = notfound (3) [preprocess] = ok (3) suffix: Checking for suffix after "@" (3) suffix: No '@' in User-Name = "6bd4a86988324e56b2dcdcf053161a02", looking up realm NULL (3) suffix: No such realm "NULL" (3) [suffix] = noop (3) eap: Peer sent EAP Response (code 2) ID 23 length 6 (3) eap: No EAP Start, assuming it's an on-going EAP conversation (3) [eap] = updated (3) } # authorize = updated (3) Found Auth-Type = eap (3) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (3) authenticate { (3) eap: Expiring EAP session with state 0x14fba4be16eca9e8 (3) eap: Finished EAP session with state 0x14fba4be16eca9e8 (3) eap: Previous EAP request found for state 0x14fba4be16eca9e8, released from the list (3) eap: Peer sent packet with method EAP TLS (13) (3) eap: Calling submodule eap_tls to process data (3) eap_tls: (TLS) Peer ACKed our handshake fragment (3) eap: Sending EAP Request (code 1) ID 24 length 638 (3) eap: EAP session adding &reply:State = 0x14fba4be17e3a9e8 (3) [eap] = handled (3) } # authenticate = handled (3) Using Post-Auth-Type Challenge (3) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (3) Challenge { ... } # empty sub-section is ignored (3) session-state: Saving cached attributes (3) Framed-MTU = 994 (3) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (3) Sent Access-Challenge Id 3 from 192.168.254.16:1812 to 192.168.254.54:62613 length 700 (3) EAP-Message = 0x0118027e0d8000000a38107752978f2a724ead48a97e826eb9f09eaaee7fd63d70da10c11f0f5817303c6f0269378efcfd0b250e2b2778d415458ddeb81c5f3230ee58abfd54fbed631df267378402efbaa6ac8bc3f74683d1ae79b5e19a4569d9225543329a12960aca5276d47c2f9e8b1c3b352a30b31dad78c97c91801819a7e44a6ef9588839ebf3f65eb26baeb23f60545010146fc39888f7f31d80c187b4d3610d4c752a30a993d34c85589cddacc952f3047deac6b258b6225ae66bbcc59122fb381017e49a4d0b967ba8dd753c3b7a11e7966e7a65b1e3376dc220b7775b802ca85a1e573373d7d93bc55c6dd934cd07cda58f0d389a77b510ad99d2a2f6e4710cbe8e2d40c0eba7fbea050f708d879ddedcd053792d7e5f3d3b5c0a15ca4b456c70bf27fce161e08876325a22967d749fd182ba0d4e46a3eb9effab03311e3db7cc8be5f2cc18a58c453f96f1791c28bfc21606db4d2352b6846664beb49586160303010c0d00010803010240002e04030503 (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0x14fba4be17e3a9e8a4487bf82773588b (3) Finished request Waking up in 4.9 seconds. (4) Received Access-Request Id 4 from 192.168.254.54:62613 to 192.168.254.16:1812 length 1580 (4) User-Name = "6bd4a86988324e56b2dcdcf053161a02" (4) EAP-Key-Name = 0x00 (4) NAS-IP-Address = 127.0.0.1 (4) Calling-Station-Id = "02-00-00-00-00-01" (4) Framed-MTU = 1400 (4) NAS-Port-Type = Wireless-802.11 (4) Service-Type = Framed-User (4) Connect-Info = "CONNECT 11Mbps 802.11b" (4) EAP-Message = 0x021805800dc00000089116030306810b00067d00067a00067730820673308204dba003020102020a72ff95dcf40cd6883c85300d06092a864886f70d01010b05003052310b300906035504061302444b31123010060355040a0c094172656e647473656e312f302d06035504030c264172656e647473656e2044657669636573204973737573696e67204341203230323131303131301e170d3233303831363231313935305a170d3234303831363231313935305a30818531123010060a0992268993f22c6401191602646b31193017060a0992268993f22c64011916096172656e647473656e31173015060a0992268993f22c6401191607646576696365733110300e060355040b0c07646576696365733129302706035504030c203662643461383639383833323465353662326463646366303533313631613032308201a2300d06092a864886f70d01010105000382018f003082018a02820181009e1b1c7a2c83bb361794d38eb309c077f5256f55aa561a1345 (4) State = 0x14fba4be17e3a9e8a4487bf82773588b (4) Message-Authenticator = 0xe63ca286220dbad8bd0d78723edcf1f9 (4) Restoring &session-state (4) &session-state:Framed-MTU = 994 (4) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (4) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (4) authorize { (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = notfound (4) } # policy filter_username = notfound (4) [preprocess] = ok (4) suffix: Checking for suffix after "@" (4) suffix: No '@' in User-Name = "6bd4a86988324e56b2dcdcf053161a02", looking up realm NULL (4) suffix: No such realm "NULL" (4) [suffix] = noop (4) eap: Peer sent EAP Response (code 2) ID 24 length 1408 (4) eap: No EAP Start, assuming it's an on-going EAP conversation (4) [eap] = updated (4) } # authorize = updated (4) Found Auth-Type = eap (4) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (4) authenticate { (4) eap: Expiring EAP session with state 0x14fba4be17e3a9e8 (4) eap: Finished EAP session with state 0x14fba4be17e3a9e8 (4) eap: Previous EAP request found for state 0x14fba4be17e3a9e8, released from the list (4) eap: Peer sent packet with method EAP TLS (13) (4) eap: Calling submodule eap_tls to process data (4) eap_tls: (TLS) EAP Peer says that the final record size will be 2193 bytes (4) eap_tls: (TLS) EAP Expecting 2 fragments (4) eap_tls: (TLS) EAP Got first TLS fragment (1398 bytes). Peer says more fragments will follow (4) eap_tls: (TLS) EAP ACKing fragment, the peer should send more data. (4) eap: Sending EAP Request (code 1) ID 25 length 6 (4) eap: EAP session adding &reply:State = 0x14fba4be10e2a9e8 (4) [eap] = handled (4) } # authenticate = handled (4) Using Post-Auth-Type Challenge (4) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (4) Challenge { ... } # empty sub-section is ignored (4) session-state: Saving cached attributes (4) Framed-MTU = 994 (4) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (4) Sent Access-Challenge Id 4 from 192.168.254.16:1812 to 192.168.254.54:62613 length 64 (4) EAP-Message = 0x011900060d00 (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0x14fba4be10e2a9e8a4487bf82773588b (4) Finished request Waking up in 4.9 seconds. (5) Received Access-Request Id 5 from 192.168.254.54:62613 to 192.168.254.16:1812 length 969 (5) User-Name = "6bd4a86988324e56b2dcdcf053161a02" (5) EAP-Key-Name = 0x00 (5) NAS-IP-Address = 127.0.0.1 (5) Calling-Station-Id = "02-00-00-00-00-01" (5) Framed-MTU = 1400 (5) NAS-Port-Type = Wireless-802.11 (5) Service-Type = Framed-User (5) Connect-Info = "CONNECT 11Mbps 802.11b" (5) EAP-Message = 0x021903210d003ea1521a3018bec75974a6ae20db06b532b86f4e442a0452f8e8db48c45c9be8695bcfb42efde7716bb21f5a51bd15e7169215bac190d861a3f12d837e678015338cdcaf2ea5b80956e3282a765a2c6142d3168a0255cd99e910c791153b094f13252c4f6717914ea1df8635b4dff034a7e1a3ca044cb6d98b0a7ad116dd9d9f15ee4f45e5c0bc999d8a992623118449f29511da7fee4f578c070c32198f5792de4809cd4ad281b3ec503f5d12fc517b7ad1a6c230b93c4e981c7a5e24a58b74ccdc0d57fc9ee8535d61352a9eefb7ac93e5434250daa8415266af1cad38884cb2168c0d51f9c1acaa5aab989650fcf577a590e1323acc516a7115fbf3067f1a0613d2b7119df3cb41693e51b1a1ea071603030046100000424104c0bb130ca2545149c4a7230699e2dd03afe29e550500398ac0ab7dee0e3d92e0b0c7c536d9308b0ece1fb52ec2498362ccf620e3c2cd44b7cc2d057e69349bf716030301880f000184080401800c5c0749d11f1bc4ca (5) State = 0x14fba4be10e2a9e8a4487bf82773588b (5) Message-Authenticator = 0x8108013d7a922ef8a0ae1e1293da149f (5) Restoring &session-state (5) &session-state:Framed-MTU = 994 (5) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (5) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) [preprocess] = ok (5) suffix: Checking for suffix after "@" (5) suffix: No '@' in User-Name = "6bd4a86988324e56b2dcdcf053161a02", looking up realm NULL (5) suffix: No such realm "NULL" (5) [suffix] = noop (5) eap: Peer sent EAP Response (code 2) ID 25 length 801 (5) eap: No EAP Start, assuming it's an on-going EAP conversation (5) [eap] = updated (5) } # authorize = updated (5) Found Auth-Type = eap (5) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (5) authenticate { (5) eap: Expiring EAP session with state 0x14fba4be10e2a9e8 (5) eap: Finished EAP session with state 0x14fba4be10e2a9e8 (5) eap: Previous EAP request found for state 0x14fba4be10e2a9e8, released from the list (5) eap: Peer sent packet with method EAP TLS (13) (5) eap: Calling submodule eap_tls to process data (5) eap_tls: (TLS) EAP Got final fragment (795 bytes) (5) eap_tls: (TLS) EAP Done initial handshake (5) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write server done (5) eap_tls: (TLS) recv TLS 1.2 Handshake, Certificate (5) eap_tls: (TLS) Creating attributes from server certificate (5) eap_tls: TLS-Cert-Serial := "714cce994724fbab9c091bbe8d98c700e39a3efb" (5) eap_tls: TLS-Cert-Expiration := "261013191708Z" (5) eap_tls: TLS-Cert-Valid-Since := "211011191708Z" (5) eap_tls: TLS-Cert-Subject := "/C=DK/O=Arendtsen/CN=Arendtsen Devices Issusing CA 20211011" (5) eap_tls: TLS-Cert-Issuer := "/CN=Arendtsen Root CA 20210823" (5) eap_tls: TLS-Cert-Common-Name := "Arendtsen Devices Issusing CA 20211011" (5) eap_tls: (TLS) Creating attributes from client certificate (5) eap_tls: TLS-Client-Cert-Serial := "72ff95dcf40cd6883c85" (5) eap_tls: TLS-Client-Cert-Expiration := "240816211950Z" (5) eap_tls: TLS-Client-Cert-Valid-Since := "230816211950Z" (5) eap_tls: TLS-Client-Cert-Subject := "/DC=dk/DC=arendtsen/DC=devices/OU=devices/CN=6bd4a86988324e56b2dcdcf053161a02" (5) eap_tls: TLS-Client-Cert-Issuer := "/C=DK/O=Arendtsen/CN=Arendtsen Devices Issusing CA 20211011" (5) eap_tls: TLS-Client-Cert-Common-Name := "6bd4a86988324e56b2dcdcf053161a02" (5) eap_tls: TLS-Client-Cert-X509v3-Authority-Key-Identifier += "keyid:10:1C:A7:8C:D7:17:69:61:C6:0B:F3:8F:B2:D4:7E:EC:0D:11:82:27\n" (5) eap_tls: TLS-Client-Cert-X509v3-Basic-Constraints += "CA:FALSE" (5) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication" (5) eap_tls: TLS-Client-Cert-X509v3-Certificate-Policies += "Policy: 1.2.3.4\n CPS: http://pki.arendtsen.dk/cps.html\n CPS: http://pki.arendtsen.dk/cps.html\n User Notice:\n Explicit Text: This is a comment for policy oid 1.2.3.4\n" (5) eap_tls: TLS-Client-Cert-X509v3-Subject-Key-Identifier += "AE:82:62:6F:EA:A4:FF:BE:D0:36:FE:AD:C8:6C:4C:AE:4A:D1:E6:CE" (5) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2" Certificate chain - 1 cert(s) untrusted (TLS) untrusted certificate with depth [0] subject name /DC=dk/DC=arendtsen/DC=devices/OU=devices/CN=6bd4a86988324e56b2dcdcf053161a02 (5) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read client certificate (5) eap_tls: (TLS) recv TLS 1.2 Handshake, ClientKeyExchange (5) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read client key exchange (5) eap_tls: (TLS) recv TLS 1.2 Handshake, CertificateVerify (5) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read certificate verify (5) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read change cipher spec (5) eap_tls: (TLS) recv TLS 1.2 Handshake, Finished (5) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read finished (5) eap_tls: (TLS) send TLS 1.2 ChangeCipherSpec (5) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write change cipher spec (5) eap_tls: (TLS) send TLS 1.2 Handshake, Finished (5) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write finished (5) eap_tls: (TLS) Handshake state - SSL negotiation finished successfully (5) eap_tls: (TLS) Connection Established (5) eap_tls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (5) eap_tls: TLS-Session-Version = "TLS 1.2" (5) eap: Sending EAP Request (code 1) ID 26 length 61 (5) eap: EAP session adding &reply:State = 0x14fba4be11e1a9e8 (5) [eap] = handled (5) } # authenticate = handled (5) Using Post-Auth-Type Challenge (5) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (5) Challenge { ... } # empty sub-section is ignored (5) session-state: Saving cached attributes (5) Framed-MTU = 994 (5) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (5) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Certificate" (5) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (5) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, CertificateVerify" (5) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (5) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (5) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (5) TLS-Session-Version = "TLS 1.2" (5) Sent Access-Challenge Id 5 from 192.168.254.16:1812 to 192.168.254.54:62613 length 119 (5) EAP-Message = 0x011a003d0d8000000033140303000101160303002841fec7d60128e1c2c5c6084b3752748d80cad45f1ac85ff9ed1d8010c488e57da54fc9d3783dd2ae (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0x14fba4be11e1a9e8a4487bf82773588b (5) Finished request Waking up in 4.9 seconds. (6) Received Access-Request Id 6 from 192.168.254.54:62613 to 192.168.254.16:1812 length 168 (6) User-Name = "6bd4a86988324e56b2dcdcf053161a02" (6) EAP-Key-Name = 0x00 (6) NAS-IP-Address = 127.0.0.1 (6) Calling-Station-Id = "02-00-00-00-00-01" (6) Framed-MTU = 1400 (6) NAS-Port-Type = Wireless-802.11 (6) Service-Type = Framed-User (6) Connect-Info = "CONNECT 11Mbps 802.11b" (6) EAP-Message = 0x021a00060d00 (6) State = 0x14fba4be11e1a9e8a4487bf82773588b (6) Message-Authenticator = 0xcc48fa978977bee8a4cca9f448e5a3c0 (6) Restoring &session-state (6) &session-state:Framed-MTU = 994 (6) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (6) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Certificate" (6) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (6) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, CertificateVerify" (6) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (6) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (6) &session-state:TLS-Session-Version = "TLS 1.2" (6) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) [preprocess] = ok (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "6bd4a86988324e56b2dcdcf053161a02", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) eap: Peer sent EAP Response (code 2) ID 26 length 6 (6) eap: No EAP Start, assuming it's an on-going EAP conversation (6) [eap] = updated (6) } # authorize = updated (6) Found Auth-Type = eap (6) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (6) authenticate { (6) eap: Expiring EAP session with state 0x14fba4be11e1a9e8 (6) eap: Finished EAP session with state 0x14fba4be11e1a9e8 (6) eap: Previous EAP request found for state 0x14fba4be11e1a9e8, released from the list (6) eap: Peer sent packet with method EAP TLS (13) (6) eap: Calling submodule eap_tls to process data (6) eap_tls: (TLS) Peer ACKed our handshake fragment. handshake is finished (6) eap_tls: Validating certificate (6) Virtual server check-eap-tls-arendtsen received request (6) User-Name = "6bd4a86988324e56b2dcdcf053161a02" (6) EAP-Key-Name = 0x00 (6) NAS-IP-Address = 127.0.0.1 (6) Calling-Station-Id = "02-00-00-00-00-01" (6) Framed-MTU = 1400 (6) NAS-Port-Type = Wireless-802.11 (6) Service-Type = Framed-User (6) Connect-Info = "CONNECT 11Mbps 802.11b" (6) EAP-Message = 0x021a00060d00 (6) State = 0x14fba4be11e1a9e8a4487bf82773588b (6) Message-Authenticator = 0xcc48fa978977bee8a4cca9f448e5a3c0 (6) Event-Timestamp = "Aug 22 2023 11:13:31 CEST" (6) EAP-Type = TLS (6) TLS-Cert-Serial := "714cce994724fbab9c091bbe8d98c700e39a3efb" (6) TLS-Cert-Expiration := "261013191708Z" (6) TLS-Cert-Valid-Since := "211011191708Z" (6) TLS-Cert-Subject := "/C=DK/O=Arendtsen/CN=Arendtsen Devices Issusing CA 20211011" (6) TLS-Cert-Issuer := "/CN=Arendtsen Root CA 20210823" (6) TLS-Cert-Common-Name := "Arendtsen Devices Issusing CA 20211011" (6) TLS-Client-Cert-Serial := "72ff95dcf40cd6883c85" (6) TLS-Client-Cert-Expiration := "240816211950Z" (6) TLS-Client-Cert-Valid-Since := "230816211950Z" (6) TLS-Client-Cert-Subject := "/DC=dk/DC=arendtsen/DC=devices/OU=devices/CN=6bd4a86988324e56b2dcdcf053161a02" (6) TLS-Client-Cert-Issuer := "/C=DK/O=Arendtsen/CN=Arendtsen Devices Issusing CA 20211011" (6) TLS-Client-Cert-Common-Name := "6bd4a86988324e56b2dcdcf053161a02" (6) TLS-Client-Cert-X509v3-Authority-Key-Identifier += "keyid:10:1C:A7:8C:D7:17:69:61:C6:0B:F3:8F:B2:D4:7E:EC:0D:11:82:27\n" (6) TLS-Client-Cert-X509v3-Basic-Constraints += "CA:FALSE" (6) TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication" (6) TLS-Client-Cert-X509v3-Certificate-Policies += "Policy: 1.2.3.4\n CPS: http://pki.arendtsen.dk/cps.html\n CPS: http://pki.arendtsen.dk/cps.html\n User Notice:\n Explicit Text: This is a comment for policy oid 1.2.3.4\n" (6) TLS-Client-Cert-X509v3-Subject-Key-Identifier += "AE:82:62:6F:EA:A4:FF:BE:D0:36:FE:AD:C8:6C:4C:AE:4A:D1:E6:CE" (6) TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2" (6) WARNING: Outer and inner identities are the same. User privacy is compromised. (6) server check-eap-tls-arendtsen { (6) session-state: No cached attributes (6) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/check-eap-tls-arendtsen (6) authorize { (6) if (&User-Name == &TLS-Client-Cert-Common-Name) { (6) if (&User-Name == &TLS-Client-Cert-Common-Name) -> TRUE (6) if (&User-Name == &TLS-Client-Cert-Common-Name) { (6) update config { (6) &Auth-Type := Accept (6) } # update config = noop (6) } # if (&User-Name == &TLS-Client-Cert-Common-Name) = noop (6) ... skipping else: Preceding "if" was taken rlm_ldap (ldap): Reserved connection (0) (6) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (6) ldap: --> (uid=6bd4a86988324e56b2dcdcf053161a02) (6) ldap: Performing search in "dc=users,dc=arendtsen,dc=dk" with filter "(uid=6bd4a86988324e56b2dcdcf053161a02)", scope "sub" (6) ldap: Waiting for search result... (6) ldap: User object found at DN "uid=6bd4a86988324e56b2dcdcf053161a02,ou=computers,ou=devices,dc=users,dc=arendtsen,dc=dk" (6) ldap: EXPAND (&(objectClass=posixGroup)(|(member=%{control:LDAP-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))) (6) ldap: --> (&(objectClass=posixGroup)(|(member=uid\3d6bd4a86988324e56b2dcdcf053161a02\2cou\3dcomputers\2cou\3ddevices\2cdc\3dusers\2cdc\3darendtsen\2cdc\3ddk)(memberUid=6bd4a86988324e56b2dcdcf053161a02))) (6) ldap: Performing search in "dc=groups,dc=arendtsen,dc=dk" with filter "(&(objectClass=posixGroup)(|(member=uid\3d6bd4a86988324e56b2dcdcf053161a02\2cou\3dcomputers\2cou\3ddevices\2cdc\3dusers\2cdc\3darendtsen\2cdc\3ddk)(memberUid=6bd4a86988324e56b2dcdcf053161a02)))", scope "sub" (6) ldap: Waiting for search result... (6) ldap: Adding cacheable group object memberships (6) ldap: &control:LDAP-Group += "radius-vlan-secure" (6) ldap: Processing user attributes (6) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute (6) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure) rlm_ldap (ldap): Released connection (0) (6) [ldap] = ok (6) [files] = noop (6) auth_log: EXPAND /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (6) auth_log: --> /var/log/radacct/192.168.254.54/auth-detail-20230822 (6) auth_log: /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radacct/192.168.254.54/auth-detail-20230822 (6) auth_log: EXPAND %t (6) auth_log: --> Tue Aug 22 11:13:31 2023 (6) [auth_log] = ok (6) } # authorize = ok (6) Found Auth-Type = Accept (6) Auth-Type = Accept, accepting the user (6) } # server check-eap-tls-arendtsen (6) Virtual server sending reply (6) eap: Sending EAP Success (code 3) ID 26 length 4 (6) eap: Freeing handler (6) [eap] = ok (6) } # authenticate = ok (6) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default (6) post-auth { (6) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { (6) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE (6) update { (6) &reply::Framed-MTU += &session-state:Framed-MTU[*] -> 994 (6) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.3 Handshake, ClientHello' (6) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, ServerHello' (6) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, Certificate' (6) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, ServerKeyExchange' (6) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, CertificateRequest' (6) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, ServerHelloDone' (6) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.2 Handshake, Certificate' (6) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.2 Handshake, ClientKeyExchange' (6) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.2 Handshake, CertificateVerify' (6) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.2 Handshake, Finished' (6) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 ChangeCipherSpec' (6) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, Finished' (6) &reply::TLS-Session-Cipher-Suite += &session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES256-GCM-SHA384' (6) &reply::TLS-Session-Version += &session-state:TLS-Session-Version[*] -> 'TLS 1.2' (6) } # update = noop (6) [exec] = noop (6) policy remove_reply_message_if_eap { (6) if (&reply:EAP-Message && &reply:Reply-Message) { (6) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (6) else { (6) [noop] = noop (6) } # else = noop (6) } # policy remove_reply_message_if_eap = noop (6) if (EAP-Key-Name && &reply:EAP-Session-Id) { (6) if (EAP-Key-Name && &reply:EAP-Session-Id) -> TRUE (6) if (EAP-Key-Name && &reply:EAP-Session-Id) { (6) update reply { (6) &EAP-Key-Name := &reply:EAP-Session-Id -> 0x0dc2ebfd63e900841e023156f44d79f8e808024f49764561d3542fe0f7afc1f07fadc120f95a74ceb3f8b403d0a283ba46d823126aced0af9787b4232a33cd7078 (6) } # update reply = noop (6) } # if (EAP-Key-Name && &reply:EAP-Session-Id) = noop (6) } # post-auth = noop (6) Sent Access-Accept Id 6 from 192.168.254.16:1812 to 192.168.254.54:62613 length 267 (6) MS-MPPE-Recv-Key = 0x783200e8af5ccc9ef6355239f42c81122044e17271df4b05b147c08c3bdebe41 (6) MS-MPPE-Send-Key = 0x0143c2f394e68d84c1a215b48466693df8388910fe6e844f25b1b4229170161c (6) EAP-Message = 0x031a0004 (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) User-Name = "6bd4a86988324e56b2dcdcf053161a02" (6) Framed-MTU += 994 (6) EAP-Key-Name := 0x0dc2ebfd63e900841e023156f44d79f8e808024f49764561d3542fe0f7afc1f07fadc120f95a74ceb3f8b403d0a283ba46d823126aced0af9787b4232a33cd7078 (6) Finished request Waking up in 4.9 seconds. (0) Cleaning up request packet ID 0 with timestamp +6 due to cleanup_delay was reached (1) Cleaning up request packet ID 1 with timestamp +6 due to cleanup_delay was reached (2) Cleaning up request packet ID 2 with timestamp +6 due to cleanup_delay was reached (3) Cleaning up request packet ID 3 with timestamp +6 due to cleanup_delay was reached (4) Cleaning up request packet ID 4 with timestamp +6 due to cleanup_delay was reached (5) Cleaning up request packet ID 5 with timestamp +6 due to cleanup_delay was reached (6) Cleaning up request packet ID 6 with timestamp +6 due to cleanup_delay was reached Ready to process requests