 freeradius dot1x dynamic vlan assignment,  Kovrevskii, 07-Дек-22, 12:35 [смотреть все]Добрый день!
на форуме нашёл описание проблемы схожей с моей
https://www.opennet.ru/openforum/vsluhforumID6/19307.htmlно у меня немного другая ситуация
Пытаюсь настроить Freeradius с интеграцией с AD и аутентификацией проводных пользователей по dot1x с назначением Vlan Выполнил все необходимые настройки Настроил раздел post-auth файла /etc/raddb/sites-available/inner-tunnel
post-auth {
if (0) {
update reply {
User-Name !* ANY
Message-Authenticator !* ANY
EAP-Message !* ANY
Proxy-State !* ANY
MS-MPPE-Encryption-Types !* ANY
MS-MPPE-Encryption-Policy !* ANY
MS-MPPE-Send-Key !* ANY
MS-MPPE-Recv-Key !* ANY
Tunnel-Type = 13,
Tunnel-Medium-Type = 6,
Tunnel-Private-Group-Id = "150"
}
update {
&outer.session-state: += &reply:
}
} аутентификация через dot1x работает, но назначение Vlan НЕ выполняется (атрибуты не срабатывают) Если же указать if (1), то аутентификация по dot1x не проходит и при выводе radiusd -X выходит ошибка:
update {
ERROR: Mapping "&reply:" -> "&outer.session-state:" invalid in this context ....
update outer.session-state {
ERROR: Mapping "&request:Module-Failure-Message" -> "&Module-Failure-Message" invalid in this context Кто-нибудь настраивал подобную схему?
Что я делаю не так?
|
- freeradius dot1x dynamic vlan assignment, Kovrevskii, 12:53 , 07-Дек-22 (1)
добавляю вывод radiusd -X при попытке аутентификации пользователзанчени if (0)
Ready to process requests
(0) Received Access-Request Id 254 from 10.8.150.118:1645 to 10.70.42.77:1645 length 178
(0) User-Name = "host/WNAMTest.stand.ru"
(0) Service-Type = Framed-User
(0) Framed-MTU = 1504
(0) Called-Station-Id = "00-17-E0-1C-15-87"
(0) Calling-Station-Id = "00-E0-4C-31-0E-67"
(0) EAP-Message = 0x0201001b01686f73742f574e414d546573742e7374616e642e7275
(0) Message-Authenticator = 0x05f0beadc58cb570784f655631e40bff
(0) NAS-Port-Type = Ethernet
(0) NAS-Port = 50005
(0) NAS-Port-Id = "FastEthernet0/5"
(0) NAS-IP-Address = 10.8.150.118
(0) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [chap] = noop
(0) [mschap] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "host/WNAMTest.stand.ru", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) update control {
(0) &Proxy-To-Realm := LOCAL
(0) } # update control = noop
(0) eap: Peer sent EAP Response (code 2) ID 1 length 27
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_peap to process data
(0) eap_peap: Initiating new TLS session
(0) eap_peap: [eaptls start] = request
(0) eap: Sending EAP Request (code 1) ID 2 length 6
(0) eap: EAP session adding &reply:State = 0x8e1144788e135d5a
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) Post-Auth-Type sub-section not found. Ignoring.
(0) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(0) Sent Access-Challenge Id 254 from 10.70.42.77:1645 to 10.8.150.118:1645 length 0
(0) EAP-Message = 0x010200061920
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x8e1144788e135d5aaaf63b261b53a370
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 255 from 10.8.150.118:1645 to 10.70.42.77:1645 length 373
(1) User-Name = "host/WNAMTest.stand.ru"
(1) Service-Type = Framed-User
(1) Framed-MTU = 1504
(1) Called-Station-Id = "00-17-E0-1C-15-87"
(1) Calling-Station-Id = "00-E0-4C-31-0E-67"
(1) EAP-Message = 0x020200cc1980000000c216030300bd010000b90303639061b3946a0116999001e2cec4eebcc744aa45dd6d3db2d7101612d3e71cf720813f3268239d3d77179cefc9e73f95ba89586d214ebee8e831a945798c53993a002ac02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a01000046000500050100000000000a00080006001d00170018000b00020100000d001a00180804080508060401050102010403050302030202060106030023000000170000ff01000100
(1) Message-Authenticator = 0x57980fece321d5b7e48eb9f464877726
(1) NAS-Port-Type = Ethernet
(1) NAS-Port = 50005
(1) NAS-Port-Id = "FastEthernet0/5"
(1) State = 0x8e1144788e135d5aaaf63b261b53a370
(1) NAS-IP-Address = 10.8.150.118
(1) session-state: No cached attributes
(1) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /@\./) {
(1) if (&User-Name =~ /@\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [chap] = noop
(1) [mschap] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "host/WNAMTest.stand.ru", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) update control {
(1) &Proxy-To-Realm := LOCAL
(1) } # update control = noop
(1) eap: Peer sent EAP Response (code 2) ID 2 length 204
(1) eap: Continuing tunnel setup
(1) [eap] = ok
(1) } # authorize = ok
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(1) authenticate {
(1) eap: Expiring EAP session with state 0x8e1144788e135d5a
(1) eap: Finished EAP session with state 0x8e1144788e135d5a
(1) eap: Previous EAP request found for state 0x8e1144788e135d5a, released from the list
(1) eap: Peer sent packet with method EAP PEAP (25)
(1) eap: Calling submodule eap_peap to process data
(1) eap_peap: Continuing EAP-TLS
(1) eap_peap: Peer indicated complete TLS record size will be 194 bytes
(1) eap_peap: Got complete TLS record (194 bytes)
(1) eap_peap: [eaptls verify] = length included
(1) eap_peap: (other): before SSL initialization
(1) eap_peap: TLS_accept: before SSL initialization
(1) eap_peap: TLS_accept: before SSL initialization
(1) eap_peap: <<< recv TLS 1.3 [length 00bd]
(1) eap_peap: TLS_accept: SSLv3/TLS read client hello
(1) eap_peap: >>> send TLS 1.2 [length 003d]
(1) eap_peap: TLS_accept: SSLv3/TLS write server hello
(1) eap_peap: >>> send TLS 1.2 [length 0903]
(1) eap_peap: TLS_accept: SSLv3/TLS write certificate
(1) eap_peap: >>> send TLS 1.2 [length 014d]
(1) eap_peap: TLS_accept: SSLv3/TLS write key exchange
(1) eap_peap: >>> send TLS 1.2 [length 0004]
(1) eap_peap: TLS_accept: SSLv3/TLS write server done
(1) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done
(1) eap_peap: TLS - In Handshake Phase
(1) eap_peap: TLS - got 2725 bytes of data
(1) eap_peap: [eaptls process] = handled
(1) eap: Sending EAP Request (code 1) ID 3 length 1004
(1) eap: EAP session adding &reply:State = 0x8e1144788f125d5a
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) Post-Auth-Type sub-section not found. Ignoring.
(1) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(1) Sent Access-Challenge Id 255 from 10.70.42.77:1645 to 10.8.150.118:1645 length 0
(1) EAP-Message = 0x010303ec19c000000aa5160303003d02000039030316a38bcccaf0c1f7195d6060cabc048b9ea13d100d40f6852eb16cf57da470ce00c030000011ff01000100000b0004030001020017000016030309030b0008ff0008fc0003f8308203f4308202dca003020102020101300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f72697479301e170d3232313132383131333435385a170d3233303132373131333435385a307c310b3009060355040613024652310f300d06035504080c0652616469757331153013060355040a0c0c4578616d706c6520496e632e3123302106035504030c1a4578616d70
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x8e1144788f125d5aaaf63b261b53a370
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 0 from 10.8.150.118:1645 to 10.70.42.77:1645 length 175
(2) User-Name = "host/WNAMTest.stand.ru"
(2) Service-Type = Framed-User
(2) Framed-MTU = 1504
(2) Called-Station-Id = "00-17-E0-1C-15-87"
(2) Calling-Station-Id = "00-E0-4C-31-0E-67"
(2) EAP-Message = 0x020300061900
(2) Message-Authenticator = 0xaf565cd95e610e00b93fc948a081b99d
(2) NAS-Port-Type = Ethernet
(2) NAS-Port = 50005
(2) NAS-Port-Id = "FastEthernet0/5"
(2) State = 0x8e1144788f125d5aaaf63b261b53a370
(2) NAS-IP-Address = 10.8.150.118
(2) session-state: No cached attributes
(2) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /@\./) {
(2) if (&User-Name =~ /@\./) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) [chap] = noop
(2) [mschap] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "host/WNAMTest.stand.ru", looking up realm NULL
(2) suffix: No such realm "NULL"
(2) [suffix] = noop
(2) update control {
(2) &Proxy-To-Realm := LOCAL
(2) } # update control = noop
(2) eap: Peer sent EAP Response (code 2) ID 3 length 6
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(2) authenticate {
(2) eap: Expiring EAP session with state 0x8e1144788f125d5a
(2) eap: Finished EAP session with state 0x8e1144788f125d5a
(2) eap: Previous EAP request found for state 0x8e1144788f125d5a, released from the list
(2) eap: Peer sent packet with method EAP PEAP (25)
(2) eap: Calling submodule eap_peap to process data
(2) eap_peap: Continuing EAP-TLS
(2) eap_peap: Peer ACKed our handshake fragment
(2) eap_peap: [eaptls verify] = request
(2) eap_peap: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 4 length 1000
(2) eap: EAP session adding &reply:State = 0x8e1144788c155d5a
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) Post-Auth-Type sub-section not found. Ignoring.
(2) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(2) Sent Access-Challenge Id 0 from 10.70.42.77:1645 to 10.8.150.118:1645 length 0
(2) EAP-Message = 0x010403e819401fc7c5152c524cb8fae1e08afa965a924975fe798689c56b5f8ae875d147afe3077ed758c2804b1fd93d89c6b215d8195c9fb13218b78495e13bea9696902858d0ac9e091331e8078a7ef13799870cb0a0b1808c75e6ae1062eefc44d51f5410a3e9f84b4ccebd0004fe308204fa308203e2a0030201020214442cc1056ca0298b32cdbbe1cbe45e7490adc2eb300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f72697479301e170d3232313132383131333435385a170d3233303132373131333435385a308193310b3009060355040613024652310f300d06035504080c0652616469
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x8e1144788c155d5aaaf63b261b53a370
(2) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 1 from 10.8.150.118:1645 to 10.70.42.77:1645 length 175
(3) User-Name = "host/WNAMTest.stand.ru"
(3) Service-Type = Framed-User
(3) Framed-MTU = 1504
(3) Called-Station-Id = "00-17-E0-1C-15-87"
(3) Calling-Station-Id = "00-E0-4C-31-0E-67"
(3) EAP-Message = 0x020400061900
(3) Message-Authenticator = 0x1f56bf12588e8191c2539fa98dc4746f
(3) NAS-Port-Type = Ethernet
(3) NAS-Port = 50005
(3) NAS-Port-Id = "FastEthernet0/5"
(3) State = 0x8e1144788c155d5aaaf63b261b53a370
(3) NAS-IP-Address = 10.8.150.118
(3) session-state: No cached attributes
(3) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(3) authorize {
(3) policy filter_username {
(3) if (&User-Name) {
(3) if (&User-Name) -> TRUE
(3) if (&User-Name) {
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@[^@]*@/ ) {
(3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /@\./) {
(3) if (&User-Name =~ /@\./) -> FALSE
(3) } # if (&User-Name) = notfound
(3) } # policy filter_username = notfound
(3) [chap] = noop
(3) [mschap] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "host/WNAMTest.stand.ru", looking up realm NULL
(3) suffix: No such realm "NULL"
(3) [suffix] = noop
(3) update control {
(3) &Proxy-To-Realm := LOCAL
(3) } # update control = noop
(3) eap: Peer sent EAP Response (code 2) ID 4 length 6
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(3) authenticate {
(3) eap: Expiring EAP session with state 0x8e1144788c155d5a
(3) eap: Finished EAP session with state 0x8e1144788c155d5a
(3) eap: Previous EAP request found for state 0x8e1144788c155d5a, released from the list
(3) eap: Peer sent packet with method EAP PEAP (25)
(3) eap: Calling submodule eap_peap to process data
(3) eap_peap: Continuing EAP-TLS
(3) eap_peap: Peer ACKed our handshake fragment
(3) eap_peap: [eaptls verify] = request
(3) eap_peap: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 5 length 743
(3) eap: EAP session adding &reply:State = 0x8e1144788d145d5a
(3) [eap] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) Post-Auth-Type sub-section not found. Ignoring.
(3) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(3) Sent Access-Challenge Id 1 from 10.70.42.77:1645 to 10.8.150.118:1645 length 0
(3) EAP-Message = 0x010502e7190072746966696361746520417574686f726974798214442cc1056ca0298b32cdbbe1cbe45e7490adc2eb300f0603551d130101ff040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b050003820101000f90c9bfa58166e202db547a485080f43eeb496d974779be4682989ea1aa2ed4392ee7ba208464a95021a2d9019bdd276ad97b0d7680f9dce4db059f5d3aee20589a5787ceca5dc3f2bac77b7e21cf9b1f7242684fa62b5cd23c4c20d98bc73b3f641a8a89e77b7048f2661f46f7222b644a7a23968041c8fea3d0dea25fd658875a06e7bca59c2769deca0debe1bb9b274d90d25652b43fc2693562765604e9592757c2c624419b1226f07f0d8cb443a355c7cdaacb444e1b8a6a123c9aed7d8949e9937a404e85f6a98695cbadc77d80dcdcaf215b7eb0fd15b4de5b061208f78da50c8479cd2d4f1dfa
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0x8e1144788d145d5aaaf63b261b53a370
(3) Finished request
Waking up in 4.9 seconds.
- freeradius dot1x dynamic vlan assignment, Kovrevskii, 12:56 , 07-Дек-22 (2)
продолжение(4) Received Access-Request Id 2 from 10.8.150.118:1645 to 10.70.42.77:1645 length 305
(4) User-Name = "host/WNAMTest.stand.ru"
(4) Service-Type = Framed-User
(4) Framed-MTU = 1504
(4) Called-Station-Id = "00-17-E0-1C-15-87"
(4) Calling-Station-Id = "00-E0-4C-31-0E-67"
(4) EAP-Message = 0x0205008819800000007e1603030046100000424104a7375d5a0b4cab49e9fec1125a800f8a23c26057dfd1f42d8ed06d30fc26a0ea775bafbe3e498651218316b113d020f7acf8c30b2a28774e6ca313eb61c6342714030300010116030300280000000000000000af23d74f75fbe62067fe01739e17ce88600ae6f610789121a25b0f666b425f6f
(4) Message-Authenticator = 0x399081e9a1a5c11037d7dc6d3b08bc65
(4) NAS-Port-Type = Ethernet
(4) NAS-Port = 50005
(4) NAS-Port-Id = "FastEthernet0/5"
(4) State = 0x8e1144788d145d5aaaf63b261b53a370
(4) NAS-IP-Address = 10.8.150.118
(4) session-state: No cached attributes
(4) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(4) authorize {
(4) policy filter_username {
(4) if (&User-Name) {
(4) if (&User-Name) -> TRUE
(4) if (&User-Name) {
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@[^@]*@/ ) {
(4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /@\./) {
(4) if (&User-Name =~ /@\./) -> FALSE
(4) } # if (&User-Name) = notfound
(4) } # policy filter_username = notfound
(4) [chap] = noop
(4) [mschap] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "host/WNAMTest.stand.ru", looking up realm NULL
(4) suffix: No such realm "NULL"
(4) [suffix] = noop
(4) update control {
(4) &Proxy-To-Realm := LOCAL
(4) } # update control = noop
(4) eap: Peer sent EAP Response (code 2) ID 5 length 136
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(4) authenticate {
(4) eap: Expiring EAP session with state 0x8e1144788d145d5a
(4) eap: Finished EAP session with state 0x8e1144788d145d5a
(4) eap: Previous EAP request found for state 0x8e1144788d145d5a, released from the list
(4) eap: Peer sent packet with method EAP PEAP (25)
(4) eap: Calling submodule eap_peap to process data
(4) eap_peap: Continuing EAP-TLS
(4) eap_peap: Peer indicated complete TLS record size will be 126 bytes
(4) eap_peap: Got complete TLS record (126 bytes)
(4) eap_peap: [eaptls verify] = length included
(4) eap_peap: TLS_accept: SSLv3/TLS write server done
(4) eap_peap: <<< recv TLS 1.2 [length 0046]
(4) eap_peap: TLS_accept: SSLv3/TLS read client key exchange
(4) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec
(4) eap_peap: <<< recv TLS 1.2 [length 0010]
(4) eap_peap: TLS_accept: SSLv3/TLS read finished
(4) eap_peap: >>> send TLS 1.2 [length 0001]
(4) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec
(4) eap_peap: >>> send TLS 1.2 [length 0010]
(4) eap_peap: TLS_accept: SSLv3/TLS write finished
(4) eap_peap: (other): SSL negotiation finished successfully
(4) eap_peap: TLS - Connection Established
(4) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(4) eap_peap: TLS-Session-Version = "TLS 1.2"
(4) eap_peap: TLS - got 51 bytes of data
(4) eap_peap: [eaptls process] = handled
(4) eap: Sending EAP Request (code 1) ID 6 length 57
(4) eap: EAP session adding &reply:State = 0x8e1144788a175d5a
(4) [eap] = handled
(4) } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) Post-Auth-Type sub-section not found. Ignoring.
(4) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(4) session-state: Saving cached attributes
(4) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(4) TLS-Session-Version = "TLS 1.2"
(4) Sent Access-Challenge Id 2 from 10.70.42.77:1645 to 10.8.150.118:1645 length 0
(4) EAP-Message = 0x01060039190014030300010116030300289251a406bf3dbfb03724ace561a3dd1a3295ed2c4d17b05d85670ecad49cb5873a6f8eb092810370
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x8e1144788a175d5aaaf63b261b53a370
(4) Finished request
Waking up in 4.8 seconds.
(5) Received Access-Request Id 3 from 10.8.150.118:1645 to 10.70.42.77:1645 length 175
(5) User-Name = "host/WNAMTest.stand.ru"
(5) Service-Type = Framed-User
(5) Framed-MTU = 1504
(5) Called-Station-Id = "00-17-E0-1C-15-87"
(5) Calling-Station-Id = "00-E0-4C-31-0E-67"
(5) EAP-Message = 0x020600061900
(5) Message-Authenticator = 0x325b51a8e67ce86e0d4401a06a1cadba
(5) NAS-Port-Type = Ethernet
(5) NAS-Port = 50005
(5) NAS-Port-Id = "FastEthernet0/5"
(5) State = 0x8e1144788a175d5aaaf63b261b53a370
(5) NAS-IP-Address = 10.8.150.118
(5) Restoring &session-state
(5) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(5) &session-state:TLS-Session-Version = "TLS 1.2"
(5) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(5) authorize {
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> TRUE
(5) if (&User-Name) {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@[^@]*@/ ) {
(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /@\./) {
(5) if (&User-Name =~ /@\./) -> FALSE
(5) } # if (&User-Name) = notfound
(5) } # policy filter_username = notfound
(5) [chap] = noop
(5) [mschap] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "host/WNAMTest.stand.ru", looking up realm NULL
(5) suffix: No such realm "NULL"
(5) [suffix] = noop
(5) update control {
(5) &Proxy-To-Realm := LOCAL
(5) } # update control = noop
(5) eap: Peer sent EAP Response (code 2) ID 6 length 6
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(5) authenticate {
(5) eap: Expiring EAP session with state 0x8e1144788a175d5a
(5) eap: Finished EAP session with state 0x8e1144788a175d5a
(5) eap: Previous EAP request found for state 0x8e1144788a175d5a, released from the list
(5) eap: Peer sent packet with method EAP PEAP (25)
(5) eap: Calling submodule eap_peap to process data
(5) eap_peap: Continuing EAP-TLS
(5) eap_peap: Peer ACKed our handshake fragment. handshake is finished
(5) eap_peap: [eaptls verify] = success
(5) eap_peap: [eaptls process] = success
(5) eap_peap: Session established. Decoding tunneled attributes
(5) eap_peap: PEAP state TUNNEL ESTABLISHED
(5) eap: Sending EAP Request (code 1) ID 7 length 40
(5) eap: EAP session adding &reply:State = 0x8e1144788b165d5a
(5) [eap] = handled
(5) } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) Post-Auth-Type sub-section not found. Ignoring.
(5) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(5) session-state: Saving cached attributes
(5) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(5) TLS-Session-Version = "TLS 1.2"
(5) Sent Access-Challenge Id 3 from 10.70.42.77:1645 to 10.8.150.118:1645 length 0
(5) EAP-Message = 0x010700281900170303001d9251a406bf3dbfb1c4883ad1165a072b12d250a2a4d4747b6748cd60ed
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0x8e1144788b165d5aaaf63b261b53a370
(5) Finished request
Waking up in 4.8 seconds.
(6) Received Access-Request Id 4 from 10.8.150.118:1645 to 10.70.42.77:1645 length 227
(6) User-Name = "host/WNAMTest.stand.ru"
(6) Service-Type = Framed-User
(6) Framed-MTU = 1504
(6) Called-Station-Id = "00-17-E0-1C-15-87"
(6) Calling-Station-Id = "00-E0-4C-31-0E-67"
(6) EAP-Message = 0x0207003a1900170303002f000000000000000155af9208b9017d53ad5ae04767876fbc5e85a534d96d067d5325b0772d3d76e28e379d081fb595
(6) Message-Authenticator = 0xac48ac31824eed7ee4ef2c0c7cea5934
(6) NAS-Port-Type = Ethernet
(6) NAS-Port = 50005
(6) NAS-Port-Id = "FastEthernet0/5"
(6) State = 0x8e1144788b165d5aaaf63b261b53a370
(6) NAS-IP-Address = 10.8.150.118
(6) Restoring &session-state
(6) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(6) &session-state:TLS-Session-Version = "TLS 1.2"
(6) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(6) authorize {
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /@\./) {
(6) if (&User-Name =~ /@\./) -> FALSE
(6) } # if (&User-Name) = notfound
(6) } # policy filter_username = notfound
(6) [chap] = noop
(6) [mschap] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "host/WNAMTest.stand.ru", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) update control {
(6) &Proxy-To-Realm := LOCAL
(6) } # update control = noop
(6) eap: Peer sent EAP Response (code 2) ID 7 length 58
(6) eap: Continuing tunnel setup
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(6) authenticate {
(6) eap: Expiring EAP session with state 0x8e1144788b165d5a
(6) eap: Finished EAP session with state 0x8e1144788b165d5a
(6) eap: Previous EAP request found for state 0x8e1144788b165d5a, released from the list
(6) eap: Peer sent packet with method EAP PEAP (25)
(6) eap: Calling submodule eap_peap to process data
(6) eap_peap: Continuing EAP-TLS
(6) eap_peap: [eaptls verify] = ok
(6) eap_peap: Done initial handshake
(6) eap_peap: [eaptls process] = ok
(6) eap_peap: Session established. Decoding tunneled attributes
(6) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(6) eap_peap: Identity - host/WNAMTest.stand.ru
(6) eap_peap: Got inner identity 'host/WNAMTest.stand.ru'
(6) eap_peap: Setting default EAP type for tunneled EAP session
(6) eap_peap: Got tunneled request
(6) eap_peap: EAP-Message = 0x0207001b01686f73742f574e414d546573742e7374616e642e7275
(6) eap_peap: Setting User-Name to host/WNAMTest.stand.ru
(6) eap_peap: Sending tunneled request to inner-tunnel
(6) eap_peap: EAP-Message = 0x0207001b01686f73742f574e414d546573742e7374616e642e7275
(6) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(6) eap_peap: User-Name = "host/WNAMTest.stand.ru"
(6) Virtual server inner-tunnel received request
(6) EAP-Message = 0x0207001b01686f73742f574e414d546573742e7374616e642e7275
(6) FreeRADIUS-Proxied-To = 127.0.0.1
(6) User-Name = "host/WNAMTest.stand.ru"
(6) WARNING: Outer and inner identities are the same. User privacy is compromised.
(6) server inner-tunnel {
(6) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(6) authorize {
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /@\./) {
(6) if (&User-Name =~ /@\./) -> FALSE
(6) } # if (&User-Name) = notfound
(6) } # policy filter_username = notfound
(6) [chap] = noop
(6) [mschap] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "host/WNAMTest.stand.ru", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) update control {
(6) &Proxy-To-Realm := LOCAL
(6) } # update control = noop
(6) eap: Peer sent EAP Response (code 2) ID 7 length 27
(6) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(6) authenticate {
(6) eap: Peer sent packet with method EAP Identity (1)
(6) eap: Calling submodule eap_mschapv2 to process data
(6) eap_mschapv2: Issuing Challenge
(6) eap: Sending EAP Request (code 1) ID 8 length 43
(6) eap: EAP session adding &reply:State = 0x80bfe1b680b7fb9c
(6) [eap] = handled
(6) } # authenticate = handled
(6) } # server inner-tunnel
(6) Virtual server sending reply
(6) EAP-Message = 0x0108002b1a01080026106912a9030f5003beda5b4dec2f6730a8667265657261646975732d332e302e3231
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0x80bfe1b680b7fb9c548551106d70804b
(6) eap_peap: Got tunneled reply code 11
(6) eap_peap: EAP-Message = 0x0108002b1a01080026106912a9030f5003beda5b4dec2f6730a8667265657261646975732d332e302e3231
(6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(6) eap_peap: State = 0x80bfe1b680b7fb9c548551106d70804b
(6) eap_peap: Got tunneled reply RADIUS code 11
(6) eap_peap: EAP-Message = 0x0108002b1a01080026106912a9030f5003beda5b4dec2f6730a8667265657261646975732d332e302e3231
(6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(6) eap_peap: State = 0x80bfe1b680b7fb9c548551106d70804b
(6) eap_peap: Got tunneled Access-Challenge
(6) eap: Sending EAP Request (code 1) ID 8 length 74
(6) eap: EAP session adding &reply:State = 0x8e11447888195d5a
(6) [eap] = handled
(6) } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) Post-Auth-Type sub-section not found. Ignoring.
(6) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(6) session-state: Saving cached attributes
(6) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(6) TLS-Session-Version = "TLS 1.2"
(6) Sent Access-Challenge Id 4 from 10.70.42.77:1645 to 10.8.150.118:1645 length 0
(6) EAP-Message = 0x0108004a1900170303003f9251a406bf3dbfb21ba0d54fc4fb678471339bd905a4d1efe72a529fbfa57ac4d537c3a217957d3ece4e5b8b66b75ccc379346f106da70cb435a9a8260dd81
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0x8e11447888195d5aaaf63b261b53a370
(6) Finished request
Waking up in 4.4 seconds.
- freeradius dot1x dynamic vlan assignment, Kovrevskii, 12:57 , 07-Дек-22 (3)
(7) Received Access-Request Id 5 from 10.8.150.118:1645 to 10.70.42.77:1645 length 281
(7) User-Name = "host/WNAMTest.stand.ru"
(7) Service-Type = Framed-User
(7) Framed-MTU = 1504
(7) Called-Station-Id = "00-17-E0-1C-15-87"
(7) Calling-Station-Id = "00-E0-4C-31-0E-67"
(7) EAP-Message = 0x0208007019001703030065000000000000000291ebbab1487f9c926b4c65fcadf4b6326ce17fc7ebb89a2a1a2682a48bfbc712b1fac98d617edb7965d3a64ada1db96804aea60b3741c85d5e0f7e68ca0f3581be104e79d3f916ad3a2ed8b7f23d05f4f1dd5e98cfa41d0822b087b016
(7) Message-Authenticator = 0x97bb4e8bd14ce6352ab0262027368166
(7) NAS-Port-Type = Ethernet
(7) NAS-Port = 50005
(7) NAS-Port-Id = "FastEthernet0/5"
(7) State = 0x8e11447888195d5aaaf63b261b53a370
(7) NAS-IP-Address = 10.8.150.118
(7) Restoring &session-state
(7) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(7) &session-state:TLS-Session-Version = "TLS 1.2"
(7) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(7) authorize {
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@[^@]*@/ ) {
(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /@\./) {
(7) if (&User-Name =~ /@\./) -> FALSE
(7) } # if (&User-Name) = notfound
(7) } # policy filter_username = notfound
(7) [chap] = noop
(7) [mschap] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "host/WNAMTest.stand.ru", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) update control {
(7) &Proxy-To-Realm := LOCAL
(7) } # update control = noop
(7) eap: Peer sent EAP Response (code 2) ID 8 length 112
(7) eap: Continuing tunnel setup
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(7) authenticate {
(7) eap: Expiring EAP session with state 0x80bfe1b680b7fb9c
(7) eap: Finished EAP session with state 0x8e11447888195d5a
(7) eap: Previous EAP request found for state 0x8e11447888195d5a, released from the list
(7) eap: Peer sent packet with method EAP PEAP (25)
(7) eap: Calling submodule eap_peap to process data
(7) eap_peap: Continuing EAP-TLS
(7) eap_peap: [eaptls verify] = ok
(7) eap_peap: Done initial handshake
(7) eap_peap: [eaptls process] = ok
(7) eap_peap: Session established. Decoding tunneled attributes
(7) eap_peap: PEAP state phase2
(7) eap_peap: EAP method MSCHAPv2 (26)
(7) eap_peap: Got tunneled request
(7) eap_peap: EAP-Message = 0x020800511a0208004c31a07a106f14b5a62cb6ecdc05ac5f18e30000000000000000ae7e258e4232de145bf4036973ba5257eccfddfc3a01a93e00686f73742f574e414d546573742e7374616e642e7275
(7) eap_peap: Setting User-Name to host/WNAMTest.stand.ru
(7) eap_peap: Sending tunneled request to inner-tunnel
(7) eap_peap: EAP-Message = 0x020800511a0208004c31a07a106f14b5a62cb6ecdc05ac5f18e30000000000000000ae7e258e4232de145bf4036973ba5257eccfddfc3a01a93e00686f73742f574e414d546573742e7374616e642e7275
(7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(7) eap_peap: User-Name = "host/WNAMTest.stand.ru"
(7) eap_peap: State = 0x80bfe1b680b7fb9c548551106d70804b
(7) Virtual server inner-tunnel received request
(7) EAP-Message = 0x020800511a0208004c31a07a106f14b5a62cb6ecdc05ac5f18e30000000000000000ae7e258e4232de145bf4036973ba5257eccfddfc3a01a93e00686f73742f574e414d546573742e7374616e642e7275
(7) FreeRADIUS-Proxied-To = 127.0.0.1
(7) User-Name = "host/WNAMTest.stand.ru"
(7) State = 0x80bfe1b680b7fb9c548551106d70804b
(7) WARNING: Outer and inner identities are the same. User privacy is compromised.
(7) server inner-tunnel {
(7) session-state: No cached attributes
(7) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(7) authorize {
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@[^@]*@/ ) {
(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /@\./) {
(7) if (&User-Name =~ /@\./) -> FALSE
(7) } # if (&User-Name) = notfound
(7) } # policy filter_username = notfound
(7) [chap] = noop
(7) [mschap] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "host/WNAMTest.stand.ru", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) update control {
(7) &Proxy-To-Realm := LOCAL
(7) } # update control = noop
(7) eap: Peer sent EAP Response (code 2) ID 8 length 81
(7) eap: No EAP Start, assuming it's an on-going EAP conversation
(7) [eap] = updated
(7) [files] = noop
(7) [expiration] = noop
(7) [logintime] = noop
(7) [pap] = noop
(7) } # authorize = updated
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(7) authenticate {
(7) eap: Expiring EAP session with state 0x80bfe1b680b7fb9c
(7) eap: Finished EAP session with state 0x80bfe1b680b7fb9c
(7) eap: Previous EAP request found for state 0x80bfe1b680b7fb9c, released from the list
(7) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(7) eap: Calling submodule eap_mschapv2 to process data
(7) eap_mschapv2: # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(7) eap_mschapv2: authenticate {
(7) mschap: Creating challenge hash with username: host/WNAMTest.stand.ru
(7) mschap: Client is using MS-CHAPv2
(7) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --allow-mschapv2 --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-STAND} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}:
(7) mschap: EXPAND --username=%{mschap:User-Name:-None}
(7) mschap: --> --username=WNAMTest$
(7) mschap: EXPAND --domain=%{%{mschap:NT-Domain}:-STAND}
(7) mschap: --> --domain=stand
(7) mschap: Creating challenge hash with username: host/WNAMTest.stand.ru
(7) mschap: EXPAND --challenge=%{mschap:Challenge:-00}
(7) mschap: --> --challenge=d858ed797e668361
(7) mschap: EXPAND --nt-response=%{mschap:NT-Response:-00}
(7) mschap: --> --nt-response=ae7e258e4232de145bf4036973ba5257eccfddfc3a01a93e
added interface ens192 ip=10.70.42.77 bcast=10.70.42.255 netmask=255.255.255.0
added interface ens192 ip=10.70.42.77 bcast=10.70.42.255 netmask=255.255.255.0
added interface ens192 ip=10.70.42.77 bcast=10.70.42.255 netmask=255.255.255.0
(7) mschap: Program returned code (0) and output 'NT_KEY: 7720EA15121870B72DB8AEC247827D5B'
(7) mschap: Adding MS-CHAPv2 MPPE keys
(7) eap_mschapv2: [mschap] = ok
(7) eap_mschapv2: } # authenticate = ok
(7) eap_mschapv2: MSCHAP Success
(7) eap: Sending EAP Request (code 1) ID 9 length 51
(7) eap: EAP session adding &reply:State = 0x80bfe1b681b6fb9c
(7) [eap] = handled
(7) } # authenticate = handled
(7) } # server inner-tunnel
(7) Virtual server sending reply
(7) EAP-Message = 0x010900331a0308002e533d44314232383535354646394633443139353244354646323241464439334642423744433431454443
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0x80bfe1b681b6fb9c548551106d70804b
(7) eap_peap: Got tunneled reply code 11
(7) eap_peap: EAP-Message = 0x010900331a0308002e533d44314232383535354646394633443139353244354646323241464439334642423744433431454443
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: State = 0x80bfe1b681b6fb9c548551106d70804b
(7) eap_peap: Got tunneled reply RADIUS code 11
(7) eap_peap: EAP-Message = 0x010900331a0308002e533d44314232383535354646394633443139353244354646323241464439334642423744433431454443
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: State = 0x80bfe1b681b6fb9c548551106d70804b
(7) eap_peap: Got tunneled Access-Challenge
(7) eap: Sending EAP Request (code 1) ID 9 length 82
(7) eap: EAP session adding &reply:State = 0x8e11447889185d5a
(7) [eap] = handled
(7) } # authenticate = handled
(7) Using Post-Auth-Type Challenge
(7) Post-Auth-Type sub-section not found. Ignoring.
(7) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(7) session-state: Saving cached attributes
(7) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(7) TLS-Session-Version = "TLS 1.2"
(7) Sent Access-Challenge Id 5 from 10.70.42.77:1645 to 10.8.150.118:1645 length 0
(7) EAP-Message = 0x01090052190017030300479251a406bf3dbfb3166d1b07af90422c9dbb30f717afcdb2ae4171be6c905619e570bc3dc857a60fea9d389487fd3ab7176e072cc2d7605a273cffb73134a07fc8807300df4c67
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0x8e11447889185d5aaaf63b261b53a370
(7) Finished request
Waking up in 2.6 seconds.
(8) Received Access-Request Id 6 from 10.8.150.118:1645 to 10.70.42.77:1645 length 206
(8) User-Name = "host/WNAMTest.stand.ru"
(8) Service-Type = Framed-User
(8) Framed-MTU = 1504
(8) Called-Station-Id = "00-17-E0-1C-15-87"
(8) Calling-Station-Id = "00-E0-4C-31-0E-67"
(8) EAP-Message = 0x020900251900170303001a000000000000000378eec0b094f6e356c114d3636da01d0302c8
(8) Message-Authenticator = 0xe7e52adeeb798f38bd7c85806f6088a1
(8) NAS-Port-Type = Ethernet
(8) NAS-Port = 50005
(8) NAS-Port-Id = "FastEthernet0/5"
(8) State = 0x8e11447889185d5aaaf63b261b53a370
(8) NAS-IP-Address = 10.8.150.118
(8) Restoring &session-state
(8) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(8) &session-state:TLS-Session-Version = "TLS 1.2"
(8) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(8) authorize {
(8) policy filter_username {
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@[^@]*@/ ) {
(8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /@\./) {
(8) if (&User-Name =~ /@\./) -> FALSE
(8) } # if (&User-Name) = notfound
(8) } # policy filter_username = notfound
(8) [chap] = noop
(8) [mschap] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "host/WNAMTest.stand.ru", looking up realm NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) update control {
(8) &Proxy-To-Realm := LOCAL
(8) } # update control = noop
(8) eap: Peer sent EAP Response (code 2) ID 9 length 37
(8) eap: Continuing tunnel setup
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(8) authenticate {
(8) eap: Expiring EAP session with state 0x80bfe1b681b6fb9c
(8) eap: Finished EAP session with state 0x8e11447889185d5a
(8) eap: Previous EAP request found for state 0x8e11447889185d5a, released from the list
(8) eap: Peer sent packet with method EAP PEAP (25)
(8) eap: Calling submodule eap_peap to process data
(8) eap_peap: Continuing EAP-TLS
(8) eap_peap: [eaptls verify] = ok
(8) eap_peap: Done initial handshake
(8) eap_peap: [eaptls process] = ok
(8) eap_peap: Session established. Decoding tunneled attributes
(8) eap_peap: PEAP state phase2
(8) eap_peap: EAP method MSCHAPv2 (26)
(8) eap_peap: Got tunneled request
(8) eap_peap: EAP-Message = 0x020900061a03
(8) eap_peap: Setting User-Name to host/WNAMTest.stand.ru
(8) eap_peap: Sending tunneled request to inner-tunnel
(8) eap_peap: EAP-Message = 0x020900061a03
(8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(8) eap_peap: User-Name = "host/WNAMTest.stand.ru"
(8) eap_peap: State = 0x80bfe1b681b6fb9c548551106d70804b
(8) Virtual server inner-tunnel received request
(8) EAP-Message = 0x020900061a03
(8) FreeRADIUS-Proxied-To = 127.0.0.1
(8) User-Name = "host/WNAMTest.stand.ru"
(8) State = 0x80bfe1b681b6fb9c548551106d70804b
(8) WARNING: Outer and inner identities are the same. User privacy is compromised.
(8) server inner-tunnel {
(8) session-state: No cached attributes
(8) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(8) authorize {
(8) policy filter_username {
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@[^@]*@/ ) {
(8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /@\./) {
(8) if (&User-Name =~ /@\./) -> FALSE
(8) } # if (&User-Name) = notfound
(8) } # policy filter_username = notfound
(8) [chap] = noop
(8) [mschap] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "host/WNAMTest.stand.ru", looking up realm NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) update control {
(8) &Proxy-To-Realm := LOCAL
(8) } # update control = noop
(8) eap: Peer sent EAP Response (code 2) ID 9 length 6
(8) eap: No EAP Start, assuming it's an on-going EAP conversation
(8) [eap] = updated
(8) [files] = noop
(8) [expiration] = noop
(8) [logintime] = noop
(8) [pap] = noop
(8) } # authorize = updated
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(8) authenticate {
(8) eap: Expiring EAP session with state 0x80bfe1b681b6fb9c
(8) eap: Finished EAP session with state 0x80bfe1b681b6fb9c
(8) eap: Previous EAP request found for state 0x80bfe1b681b6fb9c, released from the list
(8) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(8) eap: Calling submodule eap_mschapv2 to process data
(8) eap: Sending EAP Success (code 3) ID 9 length 4
(8) eap: Freeing handler
(8) [eap] = ok
(8) } # authenticate = ok
(8) # Executing section post-auth from file /etc/raddb/sites-enabled/inner-tunnel
(8) post-auth {
(8) if (0) {
(8) if (0) -> FALSE
(8) } # post-auth = noop
(8) } # server inner-tunnel
(8) Virtual server sending reply
(8) MS-MPPE-Encryption-Policy = Encryption-Required
(8) MS-MPPE-Encryption-Types = 4
(8) MS-MPPE-Send-Key = 0xe444906440d09dcefe30e65f8a455ffe
(8) MS-MPPE-Recv-Key = 0xdf0ca8f806b3a21c299fcfc99f87791b
(8) EAP-Message = 0x03090004
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) User-Name = "host/WNAMTest.stand.ru"
(8) eap_peap: Got tunneled reply code 2
(8) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Required
(8) eap_peap: MS-MPPE-Encryption-Types = 4
(8) eap_peap: MS-MPPE-Send-Key = 0xe444906440d09dcefe30e65f8a455ffe
(8) eap_peap: MS-MPPE-Recv-Key = 0xdf0ca8f806b3a21c299fcfc99f87791b
(8) eap_peap: EAP-Message = 0x03090004
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: User-Name = "host/WNAMTest.stand.ru"
(8) eap_peap: Got tunneled reply RADIUS code 2
(8) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Required
(8) eap_peap: MS-MPPE-Encryption-Types = 4
(8) eap_peap: MS-MPPE-Send-Key = 0xe444906440d09dcefe30e65f8a455ffe
(8) eap_peap: MS-MPPE-Recv-Key = 0xdf0ca8f806b3a21c299fcfc99f87791b
(8) eap_peap: EAP-Message = 0x03090004
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: User-Name = "host/WNAMTest.stand.ru"
(8) eap_peap: Tunneled authentication was successful
(8) eap_peap: SUCCESS
(8) eap_peap: Saving tunneled attributes for later
(8) eap: Sending EAP Request (code 1) ID 10 length 46
(8) eap: EAP session adding &reply:State = 0x8e114478861b5d5a
(8) [eap] = handled
(8) } # authenticate = handled
(8) Using Post-Auth-Type Challenge
(8) Post-Auth-Type sub-section not found. Ignoring.
(8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(8) session-state: Saving cached attributes
(8) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(8) TLS-Session-Version = "TLS 1.2"
(8) Sent Access-Challenge Id 6 from 10.70.42.77:1645 to 10.8.150.118:1645 length 0
(8) EAP-Message = 0x010a002e190017030300239251a406bf3dbfb461f9265352132b6168ac7357152cb9b634037994ebe332a9110348
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0x8e114478861b5d5aaaf63b261b53a370
(8) Finished request
Waking up in 1.1 seconds.
(9) Received Access-Request Id 7 from 10.8.150.118:1645 to 10.70.42.77:1645 length 215
(9) User-Name = "host/WNAMTest.stand.ru"
(9) Service-Type = Framed-User
(9) Framed-MTU = 1504
(9) Called-Station-Id = "00-17-E0-1C-15-87"
(9) Calling-Station-Id = "00-E0-4C-31-0E-67"
(9) EAP-Message = 0x020a002e190017030300230000000000000004927ddd170135351a86f47838145a40afaf72f135003b599166820a
(9) Message-Authenticator = 0x341162108426d80f1a33e359b5f4e4ec
(9) NAS-Port-Type = Ethernet
(9) NAS-Port = 50005
(9) NAS-Port-Id = "FastEthernet0/5"
(9) State = 0x8e114478861b5d5aaaf63b261b53a370
(9) NAS-IP-Address = 10.8.150.118
(9) Restoring &session-state
(9) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(9) &session-state:TLS-Session-Version = "TLS 1.2"
(9) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(9) authorize {
(9) policy filter_username {
(9) if (&User-Name) {
(9) if (&User-Name) -> TRUE
(9) if (&User-Name) {
(9) if (&User-Name =~ / /) {
(9) if (&User-Name =~ / /) -> FALSE
(9) if (&User-Name =~ /@[^@]*@/ ) {
(9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(9) if (&User-Name =~ /\.\./ ) {
(9) if (&User-Name =~ /\.\./ ) -> FALSE
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(9) if (&User-Name =~ /\.$/) {
(9) if (&User-Name =~ /\.$/) -> FALSE
(9) if (&User-Name =~ /@\./) {
(9) if (&User-Name =~ /@\./) -> FALSE
(9) } # if (&User-Name) = notfound
(9) } # policy filter_username = notfound
(9) [chap] = noop
(9) [mschap] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "host/WNAMTest.stand.ru", looking up realm NULL
(9) suffix: No such realm "NULL"
(9) [suffix] = noop
(9) update control {
(9) &Proxy-To-Realm := LOCAL
(9) } # update control = noop
(9) eap: Peer sent EAP Response (code 2) ID 10 length 46
(9) eap: Continuing tunnel setup
(9) [eap] = ok
(9) } # authorize = ok
(9) Found Auth-Type = eap
(9) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(9) authenticate {
(9) eap: Expiring EAP session with state 0x8e114478861b5d5a
(9) eap: Finished EAP session with state 0x8e114478861b5d5a
(9) eap: Previous EAP request found for state 0x8e114478861b5d5a, released from the list
(9) eap: Peer sent packet with method EAP PEAP (25)
(9) eap: Calling submodule eap_peap to process data
(9) eap_peap: Continuing EAP-TLS
(9) eap_peap: [eaptls verify] = ok
(9) eap_peap: Done initial handshake
(9) eap_peap: [eaptls process] = ok
(9) eap_peap: Session established. Decoding tunneled attributes
(9) eap_peap: PEAP state send tlv success
(9) eap_peap: Received EAP-TLV response
(9) eap_peap: Success
(9) eap_peap: Using saved attributes from the original Access-Accept
(9) eap_peap: User-Name = "host/WNAMTest.stand.ru"
(9) eap: Sending EAP Success (code 3) ID 10 length 4
(9) eap: Freeing handler
(9) [eap] = ok
(9) } # authenticate = ok
(9) # Executing section post-auth from file /etc/raddb/sites-enabled/inner-tunnel
(9) post-auth {
(9) if (0) {
(9) if (0) -> FALSE
(9) } # post-auth = noop
(9) Sent Access-Accept Id 7 from 10.70.42.77:1645 to 10.8.150.118:1645 length 0
(9) User-Name = "host/WNAMTest.stand.ru"
(9) MS-MPPE-Recv-Key = 0xaca43fa253ab9317739a3fb461cbcbe7135a0e64c859ba294d13521ab23900e5
(9) MS-MPPE-Send-Key = 0x7a13c3ceca352d8324a687be674add16c6b032682308cfc6859ea2974fe41e3e
(9) EAP-Message = 0x030a0004
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) Finished request
Waking up in 0.2 seconds.
(0) Cleaning up request packet ID 254 with timestamp +286
(1) Cleaning up request packet ID 255 with timestamp +286
(2) Cleaning up request packet ID 0 with timestamp +286
(3) Cleaning up request packet ID 1 with timestamp +286
(4) Cleaning up request packet ID 2 with timestamp +286
(5) Cleaning up request packet ID 3 with timestamp +286
Waking up in 0.4 seconds.
(6) Cleaning up request packet ID 4 with timestamp +286
Waking up in 1.7 seconds.
(7) Cleaning up request packet ID 5 with timestamp +288
Waking up in 1.5 seconds.
(8) Cleaning up request packet ID 6 with timestamp +289
Waking up in 0.8 seconds.
(9) Cleaning up request packet ID 7 with timestamp +290
- freeradius dot1x dynamic vlan assignment, Kovrevskii, 13:07 , 07-Дек-22 (4)
если в разделе post auth прописать if (1) то выходит ошибка (8) Received Access-Request Id 16 from 10.8.150.118:1645 to 10.70.42.77:1645 length 206
(8) User-Name = "host/WNAMTest.stand.ru"
(8) Service-Type = Framed-User
(8) Framed-MTU = 1504
(8) Called-Station-Id = "00-17-E0-1C-15-87"
(8) Calling-Station-Id = "00-E0-4C-31-0E-67"
(8) EAP-Message = 0x020900251900170303001a0000000000000003bfc49b79f8e6a33b3dbb7bd7c40602262192
(8) Message-Authenticator = 0x85293261230a81879ef33b04ef76807d
(8) NAS-Port-Type = Ethernet
(8) NAS-Port = 50005
(8) NAS-Port-Id = "FastEthernet0/5"
(8) State = 0x35db708332d269e6230a007503c37627
(8) NAS-IP-Address = 10.8.150.118
(8) Restoring &session-state
(8) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(8) &session-state:TLS-Session-Version = "TLS 1.2"
(8) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(8) authorize {
(8) policy filter_username {
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@[^@]*@/ ) {
(8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /@\./) {
(8) if (&User-Name =~ /@\./) -> FALSE
(8) } # if (&User-Name) = notfound
(8) } # policy filter_username = notfound
(8) [chap] = noop
(8) [mschap] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "host/WNAMTest.stand.ru", looking up realm NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) update control {
(8) &Proxy-To-Realm := LOCAL
(8) } # update control = noop
(8) eap: Peer sent EAP Response (code 2) ID 9 length 37
(8) eap: Continuing tunnel setup
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(8) authenticate {
(8) eap: Expiring EAP session with state 0xe0803171e1892b17
(8) eap: Finished EAP session with state 0x35db708332d269e6
(8) eap: Previous EAP request found for state 0x35db708332d269e6, released from the list
(8) eap: Peer sent packet with method EAP PEAP (25)
(8) eap: Calling submodule eap_peap to process data
(8) eap_peap: Continuing EAP-TLS
(8) eap_peap: [eaptls verify] = ok
(8) eap_peap: Done initial handshake
(8) eap_peap: [eaptls process] = ok
(8) eap_peap: Session established. Decoding tunneled attributes
(8) eap_peap: PEAP state phase2
(8) eap_peap: EAP method MSCHAPv2 (26)
(8) eap_peap: Got tunneled request
(8) eap_peap: EAP-Message = 0x020900061a03
(8) eap_peap: Setting User-Name to host/WNAMTest.stand.ru
(8) eap_peap: Sending tunneled request to inner-tunnel
(8) eap_peap: EAP-Message = 0x020900061a03
(8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(8) eap_peap: User-Name = "host/WNAMTest.stand.ru"
(8) eap_peap: State = 0xe0803171e1892b17e57438631f9978dd
(8) Virtual server inner-tunnel received request
(8) EAP-Message = 0x020900061a03
(8) FreeRADIUS-Proxied-To = 127.0.0.1
(8) User-Name = "host/WNAMTest.stand.ru"
(8) State = 0xe0803171e1892b17e57438631f9978dd
(8) WARNING: Outer and inner identities are the same. User privacy is compromised.
(8) server inner-tunnel {
(8) session-state: No cached attributes
(8) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(8) authorize {
(8) policy filter_username {
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@[^@]*@/ ) {
(8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /@\./) {
(8) if (&User-Name =~ /@\./) -> FALSE
(8) } # if (&User-Name) = notfound
(8) } # policy filter_username = notfound
(8) [chap] = noop
(8) [mschap] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "host/WNAMTest.stand.ru", looking up realm NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) update control {
(8) &Proxy-To-Realm := LOCAL
(8) } # update control = noop
(8) eap: Peer sent EAP Response (code 2) ID 9 length 6
(8) eap: No EAP Start, assuming it's an on-going EAP conversation
(8) [eap] = updated
(8) [files] = noop
(8) [expiration] = noop
(8) [logintime] = noop
(8) [pap] = noop
(8) } # authorize = updated
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(8) authenticate {
(8) eap: Expiring EAP session with state 0xe0803171e1892b17
(8) eap: Finished EAP session with state 0xe0803171e1892b17
(8) eap: Previous EAP request found for state 0xe0803171e1892b17, released from the list
(8) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(8) eap: Calling submodule eap_mschapv2 to process data
(8) eap: Sending EAP Success (code 3) ID 9 length 4
(8) eap: Freeing handler
(8) [eap] = ok
(8) } # authenticate = ok
(8) # Executing section post-auth from file /etc/raddb/sites-enabled/inner-tunnel
(8) post-auth {
(8) if (1) {
(8) if (1) -> TRUE
(8) if (1) {
(8) update reply {
(8) User-Name !* ANY
(8) Message-Authenticator !* ANY
(8) EAP-Message !* ANY
(8) Proxy-State !* ANY
(8) MS-MPPE-Encryption-Types !* ANY
(8) MS-MPPE-Encryption-Policy !* ANY
(8) MS-MPPE-Send-Key !* ANY
(8) MS-MPPE-Recv-Key !* ANY
(8) Tunnel-Type = VLAN
(8) Tunnel-Medium-Type = IEEE-802
(8) Tunnel-Private-Group-Id = "150"
(8) } # update reply = noop
(8) update {
(8) &outer.session-state::Tunnel-Type += &reply:Tunnel-Type[*] -> VLAN
(8) &outer.session-state::Tunnel-Medium-Type += &reply:Tunnel-Medium-Type[*] -> IEEE-802
(8) &outer.session-state::Tunnel-Private-Group-Id += &reply:Tunnel-Private-Group-Id[*] -> '150'
(8) } # update = noop
(8) } # if (1) = noop
(8) } # post-auth = noop
(8) } # server inner-tunnel
(8) Virtual server sending reply
(8) Tunnel-Type = VLAN
(8) Tunnel-Medium-Type = IEEE-802
(8) Tunnel-Private-Group-Id = "150"
(8) eap_peap: Got tunneled reply code 2
(8) eap_peap: Tunnel-Type = VLAN
(8) eap_peap: Tunnel-Medium-Type = IEEE-802
(8) eap_peap: Tunnel-Private-Group-Id = "150"
(8) eap_peap: Got tunneled reply RADIUS code 2
(8) eap_peap: Tunnel-Type = VLAN
(8) eap_peap: Tunnel-Medium-Type = IEEE-802
(8) eap_peap: Tunnel-Private-Group-Id = "150"
(8) eap_peap: Tunneled authentication was successful
(8) eap_peap: SUCCESS
(8) eap_peap: Saving tunneled attributes for later
(8) eap: Sending EAP Request (code 1) ID 10 length 46
(8) eap: EAP session adding &reply:State = 0x35db70833dd169e6
(8) [eap] = handled
(8) } # authenticate = handled
(8) Using Post-Auth-Type Challenge
(8) Post-Auth-Type sub-section not found. Ignoring.
(8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(8) session-state: Saving cached attributes
(8) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(8) TLS-Session-Version = "TLS 1.2"
(8) Tunnel-Type += VLAN
(8) Tunnel-Medium-Type += IEEE-802
(8) Tunnel-Private-Group-Id += "150"
(8) Sent Access-Challenge Id 16 from 10.70.42.77:1645 to 10.8.150.118:1645 length 0
(8) EAP-Message = 0x010a002e190017030300239656895d9d047f0c62289e622c8e69d1d72d7d601c1981ec4514bfc83655820d0b7eae
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0x35db70833dd169e6230a007503c37627
(8) Finished request
Waking up in 2.0 seconds.
(9) Received Access-Request Id 17 from 10.8.150.118:1645 to 10.70.42.77:1645 length 215
(9) User-Name = "host/WNAMTest.stand.ru"
(9) Service-Type = Framed-User
(9) Framed-MTU = 1504
(9) Called-Station-Id = "00-17-E0-1C-15-87"
(9) Calling-Station-Id = "00-E0-4C-31-0E-67"
(9) EAP-Message = 0x020a002e1900170303002300000000000000042f9e214e97dbecd34987e322d107aee761efe52b96b406123d7d9f
(9) Message-Authenticator = 0x85051369b1f749095a19433c21200733
(9) NAS-Port-Type = Ethernet
(9) NAS-Port = 50005
(9) NAS-Port-Id = "FastEthernet0/5"
(9) State = 0x35db70833dd169e6230a007503c37627
(9) NAS-IP-Address = 10.8.150.118
(9) Restoring &session-state
(9) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(9) &session-state:TLS-Session-Version = "TLS 1.2"
(9) &session-state:Tunnel-Type += VLAN
(9) &session-state:Tunnel-Medium-Type += IEEE-802
(9) &session-state:Tunnel-Private-Group-Id += "150"
(9) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(9) authorize {
(9) policy filter_username {
(9) if (&User-Name) {
(9) if (&User-Name) -> TRUE
(9) if (&User-Name) {
(9) if (&User-Name =~ / /) {
(9) if (&User-Name =~ / /) -> FALSE
(9) if (&User-Name =~ /@[^@]*@/ ) {
(9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(9) if (&User-Name =~ /\.\./ ) {
(9) if (&User-Name =~ /\.\./ ) -> FALSE
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(9) if (&User-Name =~ /\.$/) {
(9) if (&User-Name =~ /\.$/) -> FALSE
(9) if (&User-Name =~ /@\./) {
(9) if (&User-Name =~ /@\./) -> FALSE
(9) } # if (&User-Name) = notfound
(9) } # policy filter_username = notfound
(9) [chap] = noop
(9) [mschap] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "host/WNAMTest.stand.ru", looking up realm NULL
(9) suffix: No such realm "NULL"
(9) [suffix] = noop
(9) update control {
(9) &Proxy-To-Realm := LOCAL
(9) } # update control = noop
(9) eap: Peer sent EAP Response (code 2) ID 10 length 46
(9) eap: Continuing tunnel setup
(9) [eap] = ok
(9) } # authorize = ok
(9) Found Auth-Type = eap
(9) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(9) authenticate {
(9) eap: Expiring EAP session with state 0x35db70833dd169e6
(9) eap: Finished EAP session with state 0x35db70833dd169e6
(9) eap: Previous EAP request found for state 0x35db70833dd169e6, released from the list
(9) eap: Peer sent packet with method EAP PEAP (25)
(9) eap: Calling submodule eap_peap to process data
(9) eap_peap: Continuing EAP-TLS
(9) eap_peap: [eaptls verify] = ok
(9) eap_peap: Done initial handshake
(9) eap_peap: [eaptls process] = ok
(9) eap_peap: Session established. Decoding tunneled attributes
(9) eap_peap: PEAP state send tlv success
(9) eap_peap: Received EAP-TLV response
(9) eap_peap: Success
(9) eap_peap: Using saved attributes from the original Access-Accept
(9) eap_peap: Tunnel-Type = VLAN
(9) eap_peap: Tunnel-Medium-Type = IEEE-802
(9) eap_peap: Tunnel-Private-Group-Id = "150"
(9) eap: Sending EAP Success (code 3) ID 10 length 4
(9) eap: Freeing handler
(9) [eap] = ok
(9) } # authenticate = ok
(9) # Executing section post-auth from file /etc/raddb/sites-enabled/inner-tunnel
(9) post-auth {
(9) if (1) {
(9) if (1) -> TRUE
(9) if (1) {
(9) update reply {
(9) User-Name !* ANY
(9) Message-Authenticator !* ANY
(9) EAP-Message !* ANY
(9) Proxy-State !* ANY
(9) MS-MPPE-Encryption-Types !* ANY
(9) MS-MPPE-Encryption-Policy !* ANY
(9) MS-MPPE-Send-Key !* ANY
(9) MS-MPPE-Recv-Key !* ANY
(9) Tunnel-Type = VLAN
(9) Tunnel-Medium-Type = IEEE-802
(9) Tunnel-Private-Group-Id = "150"
(9) } # update reply = noop
(9) update {
(9) ERROR: Mapping "&reply:" -> "&outer.session-state:" invalid in this context
(9) } # update = invalid
(9) } # if (1) = invalid
(9) } # post-auth = invalid
(9) Using Post-Auth-Type Reject
(9) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(9) Post-Auth-Type REJECT {
(9) attr_filter.access_reject: EXPAND %{User-Name}
(9) attr_filter.access_reject: --> host/WNAMTest.stand.ru
(9) attr_filter.access_reject: Matched entry DEFAULT at line 11
(9) [attr_filter.access_reject] = updated
(9) update outer.session-state {
(9) ERROR: Mapping "&request:Module-Failure-Message" -> "&Module-Failure-Message" invalid in this context
(9) } # update outer.session-state = invalid
(9) } # Post-Auth-Type REJECT = invalid
(9) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.1 seconds.
(0) Cleaning up request packet ID 8 with timestamp +147
(1) Cleaning up request packet ID 9 with timestamp +147
(2) Cleaning up request packet ID 10 with timestamp +147
(3) Cleaning up request packet ID 11 with timestamp +147
(4) Cleaning up request packet ID 12 with timestamp +147
(5) Cleaning up request packet ID 13 with timestamp +147
Waking up in 0.2 seconds.
(9) Sending delayed response
(9) Sent Access-Reject Id 17 from 10.70.42.77:1645 to 10.8.150.118:1645 length 20
(6) Cleaning up request packet ID 14 with timestamp +148
Waking up in 0.7 seconds.
(7) Cleaning up request packet ID 15 with timestamp +148
Waking up in 1.6 seconds.
(8) Cleaning up request packet ID 16 with timestamp +150
Waking up in 1.5 seconds.
(9) Cleaning up request packet ID 17 with timestamp +152
Ready to process requests
|
Версия для распечатки
