если в разделе post auth прописать if (1) то выходит ошибка
(8) Received Access-Request Id 16 from 10.8.150.118:1645 to 10.70.42.77:1645 length 206
(8) User-Name = "host/WNAMTest.stand.ru"
(8) Service-Type = Framed-User
(8) Framed-MTU = 1504
(8) Called-Station-Id = "00-17-E0-1C-15-87"
(8) Calling-Station-Id = "00-E0-4C-31-0E-67"
(8) EAP-Message = 0x020900251900170303001a0000000000000003bfc49b79f8e6a33b3dbb7bd7c40602262192
(8) Message-Authenticator = 0x85293261230a81879ef33b04ef76807d
(8) NAS-Port-Type = Ethernet
(8) NAS-Port = 50005
(8) NAS-Port-Id = "FastEthernet0/5"
(8) State = 0x35db708332d269e6230a007503c37627
(8) NAS-IP-Address = 10.8.150.118
(8) Restoring &session-state
(8) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(8) &session-state:TLS-Session-Version = "TLS 1.2"
(8) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(8) authorize {
(8) policy filter_username {
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@[^@]*@/ ) {
(8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /@\./) {
(8) if (&User-Name =~ /@\./) -> FALSE
(8) } # if (&User-Name) = notfound
(8) } # policy filter_username = notfound
(8) [chap] = noop
(8) [mschap] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "host/WNAMTest.stand.ru", looking up realm NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) update control {
(8) &Proxy-To-Realm := LOCAL
(8) } # update control = noop
(8) eap: Peer sent EAP Response (code 2) ID 9 length 37
(8) eap: Continuing tunnel setup
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(8) authenticate {
(8) eap: Expiring EAP session with state 0xe0803171e1892b17
(8) eap: Finished EAP session with state 0x35db708332d269e6
(8) eap: Previous EAP request found for state 0x35db708332d269e6, released from the list
(8) eap: Peer sent packet with method EAP PEAP (25)
(8) eap: Calling submodule eap_peap to process data
(8) eap_peap: Continuing EAP-TLS
(8) eap_peap: [eaptls verify] = ok
(8) eap_peap: Done initial handshake
(8) eap_peap: [eaptls process] = ok
(8) eap_peap: Session established. Decoding tunneled attributes
(8) eap_peap: PEAP state phase2
(8) eap_peap: EAP method MSCHAPv2 (26)
(8) eap_peap: Got tunneled request
(8) eap_peap: EAP-Message = 0x020900061a03
(8) eap_peap: Setting User-Name to host/WNAMTest.stand.ru
(8) eap_peap: Sending tunneled request to inner-tunnel
(8) eap_peap: EAP-Message = 0x020900061a03
(8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(8) eap_peap: User-Name = "host/WNAMTest.stand.ru"
(8) eap_peap: State = 0xe0803171e1892b17e57438631f9978dd
(8) Virtual server inner-tunnel received request
(8) EAP-Message = 0x020900061a03
(8) FreeRADIUS-Proxied-To = 127.0.0.1
(8) User-Name = "host/WNAMTest.stand.ru"
(8) State = 0xe0803171e1892b17e57438631f9978dd
(8) WARNING: Outer and inner identities are the same. User privacy is compromised.
(8) server inner-tunnel {
(8) session-state: No cached attributes
(8) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(8) authorize {
(8) policy filter_username {
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@[^@]*@/ ) {
(8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /@\./) {
(8) if (&User-Name =~ /@\./) -> FALSE
(8) } # if (&User-Name) = notfound
(8) } # policy filter_username = notfound
(8) [chap] = noop
(8) [mschap] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "host/WNAMTest.stand.ru", looking up realm NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) update control {
(8) &Proxy-To-Realm := LOCAL
(8) } # update control = noop
(8) eap: Peer sent EAP Response (code 2) ID 9 length 6
(8) eap: No EAP Start, assuming it's an on-going EAP conversation
(8) [eap] = updated
(8) [files] = noop
(8) [expiration] = noop
(8) [logintime] = noop
(8) [pap] = noop
(8) } # authorize = updated
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(8) authenticate {
(8) eap: Expiring EAP session with state 0xe0803171e1892b17
(8) eap: Finished EAP session with state 0xe0803171e1892b17
(8) eap: Previous EAP request found for state 0xe0803171e1892b17, released from the list
(8) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(8) eap: Calling submodule eap_mschapv2 to process data
(8) eap: Sending EAP Success (code 3) ID 9 length 4
(8) eap: Freeing handler
(8) [eap] = ok
(8) } # authenticate = ok
(8) # Executing section post-auth from file /etc/raddb/sites-enabled/inner-tunnel
(8) post-auth {
(8) if (1) {
(8) if (1) -> TRUE
(8) if (1) {
(8) update reply {
(8) User-Name !* ANY
(8) Message-Authenticator !* ANY
(8) EAP-Message !* ANY
(8) Proxy-State !* ANY
(8) MS-MPPE-Encryption-Types !* ANY
(8) MS-MPPE-Encryption-Policy !* ANY
(8) MS-MPPE-Send-Key !* ANY
(8) MS-MPPE-Recv-Key !* ANY
(8) Tunnel-Type = VLAN
(8) Tunnel-Medium-Type = IEEE-802
(8) Tunnel-Private-Group-Id = "150"
(8) } # update reply = noop
(8) update {
(8) &outer.session-state::Tunnel-Type += &reply:Tunnel-Type[*] -> VLAN
(8) &outer.session-state::Tunnel-Medium-Type += &reply:Tunnel-Medium-Type[*] -> IEEE-802
(8) &outer.session-state::Tunnel-Private-Group-Id += &reply:Tunnel-Private-Group-Id[*] -> '150'
(8) } # update = noop
(8) } # if (1) = noop
(8) } # post-auth = noop
(8) } # server inner-tunnel
(8) Virtual server sending reply
(8) Tunnel-Type = VLAN
(8) Tunnel-Medium-Type = IEEE-802
(8) Tunnel-Private-Group-Id = "150"
(8) eap_peap: Got tunneled reply code 2
(8) eap_peap: Tunnel-Type = VLAN
(8) eap_peap: Tunnel-Medium-Type = IEEE-802
(8) eap_peap: Tunnel-Private-Group-Id = "150"
(8) eap_peap: Got tunneled reply RADIUS code 2
(8) eap_peap: Tunnel-Type = VLAN
(8) eap_peap: Tunnel-Medium-Type = IEEE-802
(8) eap_peap: Tunnel-Private-Group-Id = "150"
(8) eap_peap: Tunneled authentication was successful
(8) eap_peap: SUCCESS
(8) eap_peap: Saving tunneled attributes for later
(8) eap: Sending EAP Request (code 1) ID 10 length 46
(8) eap: EAP session adding &reply:State = 0x35db70833dd169e6
(8) [eap] = handled
(8) } # authenticate = handled
(8) Using Post-Auth-Type Challenge
(8) Post-Auth-Type sub-section not found. Ignoring.
(8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(8) session-state: Saving cached attributes
(8) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(8) TLS-Session-Version = "TLS 1.2"
(8) Tunnel-Type += VLAN
(8) Tunnel-Medium-Type += IEEE-802
(8) Tunnel-Private-Group-Id += "150"
(8) Sent Access-Challenge Id 16 from 10.70.42.77:1645 to 10.8.150.118:1645 length 0
(8) EAP-Message = 0x010a002e190017030300239656895d9d047f0c62289e622c8e69d1d72d7d601c1981ec4514bfc83655820d0b7eae
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0x35db70833dd169e6230a007503c37627
(8) Finished request
Waking up in 2.0 seconds.
(9) Received Access-Request Id 17 from 10.8.150.118:1645 to 10.70.42.77:1645 length 215
(9) User-Name = "host/WNAMTest.stand.ru"
(9) Service-Type = Framed-User
(9) Framed-MTU = 1504
(9) Called-Station-Id = "00-17-E0-1C-15-87"
(9) Calling-Station-Id = "00-E0-4C-31-0E-67"
(9) EAP-Message = 0x020a002e1900170303002300000000000000042f9e214e97dbecd34987e322d107aee761efe52b96b406123d7d9f
(9) Message-Authenticator = 0x85051369b1f749095a19433c21200733
(9) NAS-Port-Type = Ethernet
(9) NAS-Port = 50005
(9) NAS-Port-Id = "FastEthernet0/5"
(9) State = 0x35db70833dd169e6230a007503c37627
(9) NAS-IP-Address = 10.8.150.118
(9) Restoring &session-state
(9) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(9) &session-state:TLS-Session-Version = "TLS 1.2"
(9) &session-state:Tunnel-Type += VLAN
(9) &session-state:Tunnel-Medium-Type += IEEE-802
(9) &session-state:Tunnel-Private-Group-Id += "150"
(9) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(9) authorize {
(9) policy filter_username {
(9) if (&User-Name) {
(9) if (&User-Name) -> TRUE
(9) if (&User-Name) {
(9) if (&User-Name =~ / /) {
(9) if (&User-Name =~ / /) -> FALSE
(9) if (&User-Name =~ /@[^@]*@/ ) {
(9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(9) if (&User-Name =~ /\.\./ ) {
(9) if (&User-Name =~ /\.\./ ) -> FALSE
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(9) if (&User-Name =~ /\.$/) {
(9) if (&User-Name =~ /\.$/) -> FALSE
(9) if (&User-Name =~ /@\./) {
(9) if (&User-Name =~ /@\./) -> FALSE
(9) } # if (&User-Name) = notfound
(9) } # policy filter_username = notfound
(9) [chap] = noop
(9) [mschap] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "host/WNAMTest.stand.ru", looking up realm NULL
(9) suffix: No such realm "NULL"
(9) [suffix] = noop
(9) update control {
(9) &Proxy-To-Realm := LOCAL
(9) } # update control = noop
(9) eap: Peer sent EAP Response (code 2) ID 10 length 46
(9) eap: Continuing tunnel setup
(9) [eap] = ok
(9) } # authorize = ok
(9) Found Auth-Type = eap
(9) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(9) authenticate {
(9) eap: Expiring EAP session with state 0x35db70833dd169e6
(9) eap: Finished EAP session with state 0x35db70833dd169e6
(9) eap: Previous EAP request found for state 0x35db70833dd169e6, released from the list
(9) eap: Peer sent packet with method EAP PEAP (25)
(9) eap: Calling submodule eap_peap to process data
(9) eap_peap: Continuing EAP-TLS
(9) eap_peap: [eaptls verify] = ok
(9) eap_peap: Done initial handshake
(9) eap_peap: [eaptls process] = ok
(9) eap_peap: Session established. Decoding tunneled attributes
(9) eap_peap: PEAP state send tlv success
(9) eap_peap: Received EAP-TLV response
(9) eap_peap: Success
(9) eap_peap: Using saved attributes from the original Access-Accept
(9) eap_peap: Tunnel-Type = VLAN
(9) eap_peap: Tunnel-Medium-Type = IEEE-802
(9) eap_peap: Tunnel-Private-Group-Id = "150"
(9) eap: Sending EAP Success (code 3) ID 10 length 4
(9) eap: Freeing handler
(9) [eap] = ok
(9) } # authenticate = ok
(9) # Executing section post-auth from file /etc/raddb/sites-enabled/inner-tunnel
(9) post-auth {
(9) if (1) {
(9) if (1) -> TRUE
(9) if (1) {
(9) update reply {
(9) User-Name !* ANY
(9) Message-Authenticator !* ANY
(9) EAP-Message !* ANY
(9) Proxy-State !* ANY
(9) MS-MPPE-Encryption-Types !* ANY
(9) MS-MPPE-Encryption-Policy !* ANY
(9) MS-MPPE-Send-Key !* ANY
(9) MS-MPPE-Recv-Key !* ANY
(9) Tunnel-Type = VLAN
(9) Tunnel-Medium-Type = IEEE-802
(9) Tunnel-Private-Group-Id = "150"
(9) } # update reply = noop
(9) update {
(9) ERROR: Mapping "&reply:" -> "&outer.session-state:" invalid in this context
(9) } # update = invalid
(9) } # if (1) = invalid
(9) } # post-auth = invalid
(9) Using Post-Auth-Type Reject
(9) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(9) Post-Auth-Type REJECT {
(9) attr_filter.access_reject: EXPAND %{User-Name}
(9) attr_filter.access_reject: --> host/WNAMTest.stand.ru
(9) attr_filter.access_reject: Matched entry DEFAULT at line 11
(9) [attr_filter.access_reject] = updated
(9) update outer.session-state {
(9) ERROR: Mapping "&request:Module-Failure-Message" -> "&Module-Failure-Message" invalid in this context
(9) } # update outer.session-state = invalid
(9) } # Post-Auth-Type REJECT = invalid
(9) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.1 seconds.
(0) Cleaning up request packet ID 8 with timestamp +147
(1) Cleaning up request packet ID 9 with timestamp +147
(2) Cleaning up request packet ID 10 with timestamp +147
(3) Cleaning up request packet ID 11 with timestamp +147
(4) Cleaning up request packet ID 12 with timestamp +147
(5) Cleaning up request packet ID 13 with timestamp +147
Waking up in 0.2 seconds.
(9) Sending delayed response
(9) Sent Access-Reject Id 17 from 10.70.42.77:1645 to 10.8.150.118:1645 length 20
(6) Cleaning up request packet ID 14 with timestamp +148
Waking up in 0.7 seconds.
(7) Cleaning up request packet ID 15 with timestamp +148
Waking up in 1.6 seconds.
(8) Cleaning up request packet ID 16 with timestamp +150
Waking up in 1.5 seconds.
(9) Cleaning up request packet ID 17 with timestamp +152
Ready to process requests