SYNOPSIS
GSS ok
SSH - using long hostname (hostname -f), no radius activity
- using shortname causes freeradius to crash
Using the install and testing notes all was ok up to and including 5.1 (Testing gss-client and gss-server)
Moving on to "Testing SSH" ...
dml@moon-serv:/etc/ssh$ id moonshot
uid=1001(moonshot) gid=1001(moonshot) groups=1001(moonshot)
Using FQDN,
dml@moon-serv:/etc/ssh$ hostname -f
moon-serv.uscs.susx.ac.uk
dml@moon-serv:/etc/ssh$ ssh [log in to unmask]
[log in to unmask] password:
... and nothing shown in the freeradius debug log.
Using shortname woke up radius and all appears to be going well, but ...
dml@moon-serv:/etc/ssh$ ssh moonshot@moon-serv
CTRL-EVENT-EAP-STARTED EAP authentication started
CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected
CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
CTRL-EVENT-EAP-STARTED EAP authentication started
CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected
CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
moonshot@moon-serv's password:
... and the radius daemon has crashed. I enclose the freeradius debug output below. I notice that it thinks the User-Name is "@local" .
Dave
---
Dave Lewney
IT Services, University of Sussex, Brighton BN1 9QT
-------------
root@moon-serv:/etc/init.d# /usr/sbin/freeradius -fxx -l stdout
freeradius: FreeRADIUS Version 3.0.0, for host , built on Apr 18 2013 at 19:22:07
Copyright (C) 1999-2013 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/mods-enabled/
including configuration file /etc/freeradius/mods-enabled/files
including configuration file /etc/freeradius/mods-enabled/detail.log
including configuration file /etc/freeradius/mods-enabled/psk
including configuration file /etc/freeradius/mods-enabled/attr_filter
including configuration file /etc/freeradius/mods-enabled/logintime
including configuration file /etc/freeradius/mods-enabled/expr
including configuration file /etc/freeradius/mods-enabled/dhcp
including configuration file /etc/freeradius/mods-enabled/unix
including configuration file /etc/freeradius/mods-enabled/counter
including configuration file /etc/freeradius/mods-enabled/soh
including configuration file /etc/freeradius/mods-enabled/wimax
including configuration file /etc/freeradius/mods-enabled/expiration
including configuration file /etc/freeradius/mods-enabled/radutmp
including configuration file /etc/freeradius/mods-enabled/cui
including configuration file /etc/freeradius/mods-enabled/../sql/cui/mysql/queries.conf
including configuration file /etc/freeradius/mods-enabled/eap
including configuration file /etc/freeradius/mods-enabled/preprocess
including configuration file /etc/freeradius/mods-enabled/passwd
including configuration file /etc/freeradius/mods-enabled/exec
including configuration file /etc/freeradius/mods-enabled/inner-eap
including configuration file /etc/freeradius/mods-enabled/linelog
including configuration file /etc/freeradius/mods-enabled/ntlm_auth
including configuration file /etc/freeradius/mods-enabled/digest
including configuration file /etc/freeradius/mods-enabled/replicate
including configuration file /etc/freeradius/mods-enabled/sradutmp
including configuration file /etc/freeradius/mods-enabled/pap
including configuration file /etc/freeradius/mods-enabled/realm
including configuration file /etc/freeradius/mods-enabled/dynamic_clients
including configuration file /etc/freeradius/mods-enabled/attr_rewrite
including configuration file /etc/freeradius/mods-enabled/detail
including configuration file /etc/freeradius/mods-enabled/always
including configuration file /etc/freeradius/mods-enabled/utf8
including configuration file /etc/freeradius/mods-enabled/chap
including configuration file /etc/freeradius/mods-enabled/cache_eap
including configuration file /etc/freeradius/mods-enabled/mschap
including configuration file /etc/freeradius/mods-enabled/checkval
including configuration file /etc/freeradius/mods-enabled/echo
including files in directory /etc/freeradius/policy.d/
including configuration file /etc/freeradius/policy.d/filter
including configuration file /etc/freeradius/policy.d/dhcp
including configuration file /etc/freeradius/policy.d/control
including configuration file /etc/freeradius/policy.d/cui
including configuration file /etc/freeradius/policy.d/operator-name
including configuration file /etc/freeradius/policy.d/eap
including configuration file /etc/freeradius/policy.d/accounting
including configuration file /etc/freeradius/policy.d/canonicalization
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/tls
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/sites-enabled/default
main {
security {
user = "freerad"
group = "freerad"
allow_core_dumps = no
}
}
including dictionary file /etc/freeradius/dictionary
main {
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
revive_interval = 120
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
}
home_server tls {
ipaddr = 127.0.0.1
port = 2083
type = "auth"
proto = "tcp"
secret = "testing123"
response_window = 30
max_outstanding = 65536
zombie_period = 40
status_check = "none"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
revive_interval = 300
status_check_timeout = 4
}
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
dh_file = "/etc/freeradius/certs/dh"
random_file = "/etc/freeradius/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
ecdh_curve = "prime256v1"
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
home_server_pool tls {
type = fail-over
home_server = tls
}
realm tls {
auth_pool = tls
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file /etc/freeradius/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file /etc/freeradius/mods-enabled/expr
expr {
safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
}
Module: Linked to module rlm_dhcp
Module: Instantiating module "dhcp" from file /etc/freeradius/mods-enabled/dhcp
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file /etc/freeradius/mods-enabled/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file /etc/freeradius/mods-enabled/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/radiusd.conf
modules {
} # modules
} # server
server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file /etc/freeradius/mods-enabled/pap
pap {
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file /etc/freeradius/mods-enabled/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file /etc/freeradius/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
}
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file /etc/freeradius/mods-enabled/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /etc/freeradius/mods-enabled/eap
eap {
default_eap_type = "ttls"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
tls = "tls-common"
}
tls-config tls-common {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/etc/freeradius/certs"
pem_file_type = yes
private_key_file = "/etc/freeradius/certs/server.pem"
certificate_file = "/etc/freeradius/certs/server.pem"
CA_file = "/etc/freeradius/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/etc/freeradius/certs/dh"
random_file = "/etc/freeradius/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/freeradius/certs/bootstrap"
ecdh_curve = "prime256v1"
cache {
enable = yes
lifetime = 24
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = yes
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
debug: Using cached TLS configuration from previous invocation
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
debug: Using cached TLS configuration from previous invocation
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file /etc/freeradius/mods-enabled/realm
Warning: dh_check failed with 8: the g value is not a generator
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
default_community = "apc.moonshot.ja.net"
rp_realm = "local"
trust_router = "localhost"
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file /etc/freeradius/mods-enabled/files
files {
usersfile = "/etc/freeradius/users"
acctusersfile = "/etc/freeradius/acct_users"
preproxy_usersfile = "/etc/freeradius/preproxy_users"
compat = "no"
}
reading pairlist file /etc/freeradius/users
reading pairlist file /etc/freeradius/acct_users
reading pairlist file /etc/freeradius/preproxy_users
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file /etc/freeradius/mods-enabled/radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
file = "/etc/freeradius/filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/freeradius/filter/access_reject
} # modules
} # server
server default { # from file /etc/freeradius/sites-enabled/default
modules {
Module: Creating Auth-Type = digest
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_digest
Module: Instantiating module "digest" from file /etc/freeradius/mods-enabled/digest
Module: Checking authorize {...} for more modules to load
Module: Loading virtual module filter_username
Module: Linked to module rlm_always
Module: Instantiating module "reject" from file /etc/freeradius/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file /etc/freeradius/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/freeradius/huntgroups"
hints = "/etc/freeradius/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
reading pairlist file /etc/freeradius/huntgroups
reading pairlist file /etc/freeradius/hints
Module: Checking preacct {...} for more modules to load
Module: Loading virtual module acct_unique
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file /etc/freeradius/mods-enabled/detail
detail {
detailfile = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
file = "/etc/freeradius/filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/freeradius/filter/accounting_response
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Loading virtual module remove_reply_message_if_eap
Module: Instantiating module "noop" from file /etc/freeradius/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
Module: Loading virtual module remove_reply_message_if_eap
} # modules
} # server
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
cleanup_delay = 5
max_queue_size = 65536
auto_limit_acct = no
}
Thread spawned new child 1. Total threads in pool: 1
Thread spawned new child 2. Total threads in pool: 2
Thread spawned new child 3. Total threads in pool: 3
Thread spawned new child 4. Total threads in pool: 4
Thread spawned new child 5. Total threads in pool: 5
Thread pool initialized
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 2083
max_pps = 0
proto = "tcp"
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/etc/freeradius/certs"
pem_file_type = yes
private_key_file = "/etc/freeradius/certs/server.pem"
certificate_file = "/etc/freeradius/certs/server.pem"
CA_file = "/etc/freeradius/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/etc/freeradius/certs/dh"
random_file = "/etc/freeradius/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "PSK:ALL:!aNULL:!eNULL"
require_client_cert = yes
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
}
}
Thread 5 waiting to be assigned a request
Thread 4 waiting to be assigned a request
Thread 1 waiting to be assigned a request
Thread 3 waiting to be assigned a request
Thread 2 waiting to be assigned a request
clients = "radsec"
client 127.0.0.1 {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
virtual_server = "default"
proto = "tcp"
}
client default {
ipaddr = 0.0.0.0
netmask = 0
require_message_authenticator = no
secret = "testing123"
virtual_server = "default"
proto = "tcp"
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 4000
max_pps = 0
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
max_pps = 0
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
}
listen {
type = "auth"
ipaddr = *
port = 0
max_pps = 0
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
}
listen {
type = "acct"
ipaddr = *
port = 0
max_pps = 0
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
}
Listening on authentication proto tcp address * port 2083 (TLS)
Listening on authentication address 127.0.0.1 port 4000
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on authentication address * port 1812 as server default
Listening on accounting address * port 1813 as server default
Opening new proxy address * port 2085
Listening on proxy address * port 2085
Ready to process requests.
... new connection request on TCP socket.
Listening on authentication from client (127.0.0.1, 58839) -> (*, 2083)
Waking up in 0.6 seconds.
(0) Requiring client certificate
(0) Initiate
(0) (other): before/accept initialization
(0) TLS_accept: before/accept initialization
(0) <<< TLS 1.0 Handshake [length 00dd], ClientHello
(0) TLS_accept: SSLv3 read client hello A
(0) >>> TLS 1.0 Handshake [length 003e], ServerHello
(0) TLS_accept: SSLv3 write server hello A
(0) >>> TLS 1.0 Handshake [length 085e], Certificate
(0) TLS_accept: SSLv3 write certificate A
(0) >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
(0) TLS_accept: SSLv3 write key exchange A
(0) >>> TLS 1.0 Handshake [length 00a6], CertificateRequest
(0) TLS_accept: SSLv3 write certificate request A
(0) TLS_accept: SSLv3 flush data
(0) TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
Waking up in 0.6 seconds.
(0) <<< TLS 1.0 Handshake [length 0853], Certificate
(0) chain-depth=1,
(0) error=0
(0) --> BUF-Name = Example Certificate Authority
(0) --> subject = /C=FR/ST=Radius/L=Somewhere/O=Example [log in to unmask] Certificate Authority
(0) --> issuer = /C=FR/ST=Radius/L=Somewhere/O=Example [log in to unmask] Certificate Authority
(0) --> verify return:1
(0) chain-depth=0,
(0) error=0
(0) --> BUF-Name = [log in to unmask]
(0) --> subject = /C=FR/ST=Radius/O=Example [log in to unmask]@example.com
(0) --> issuer = /C=FR/ST=Radius/L=Somewhere/O=Example [log in to unmask] Certificate Authority
(0) --> verify return:1
(0) TLS_accept: SSLv3 read client certificate A
(0) <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
(0) TLS_accept: SSLv3 read client key exchange A
(0) <<< TLS 1.0 Handshake [length 0106], CertificateVerify
(0) TLS_accept: SSLv3 read certificate verify A
(0) <<< TLS 1.0 ChangeCipherSpec [length 0001]
(0) <<< TLS 1.0 Handshake [length 0010], Finished
(0) TLS_accept: SSLv3 read finished A
(0) >>> TLS 1.0 ChangeCipherSpec [length 0001]
(0) TLS_accept: SSLv3 write change cipher spec A
(0) >>> TLS 1.0 Handshake [length 0010], Finished
(0) TLS_accept: SSLv3 write finished A
(0) TLS_accept: SSLv3 flush data
(0) (other): SSL negotiation finished successfully
SSL Connection Established
Waking up in 0.5 seconds.
(0) Application data status 7
(0) tls_recv: Access-Request packet from host 127.0.0.1 port 58839, id=0, length=76
Threads: total/active/spare threads = 5/0/5
Thread 5 got semaphore
Thread 5 handling request 0, (1 handled so far)
User-Name = "@local"
X-Ascend-FR-DCE-N393 = 1752134516
Attr-165 = 0x6d6f6f6e2d73657276
EAP-Message = 0x0200000b01406c6f63616c
Message-Authenticator = 0xdc1528b900eabf84a5505ca42db38962
(0) <thread> : # Executing section authorize from file /etc/freeradius/sites-enabled/default
(0) <thread> : group authorize {
(0) <thread> : - entering group authorize {...}
(0) <thread> : policy filter_username {
(0) <thread> : - entering policy filter_username {...}
(0) <thread> : ? if (User-Name != "%{tolower:%{User-Name}}")
(0) <thread> : expand: '%{User-Name}' -> '@local'
(0) <thread> : expand: '%{tolower:%{User-Name}}' -> '@local'
(0) <thread> : ? Evaluating (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(0) <thread> : ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(0) <thread> : ? if (User-Name =~ / /)
(0) <thread> : ? Evaluating (User-Name =~ / /) -> FALSE
(0) <thread> : ? if (User-Name =~ / /) -> FALSE
(0) <thread> : ? if (User-Name =~ [log in to unmask]*@/ )
(0) <thread> : ? Evaluating (User-Name =~ [log in to unmask]*@/) -> FALSE
(0) <thread> : ? if (User-Name =~ [log in to unmask]*@/ ) -> FALSE
(0) <thread> : ? if (User-Name =~ /\\.\\./ )
(0) <thread> : ? Evaluating (User-Name =~ /\\.\\./) -> FALSE
(0) <thread> : ? if (User-Name =~ /\\.\\./ ) -> FALSE
(0) <thread> : ? if (User-Name =~ /\\.$/)
(0) <thread> : ? Evaluating (User-Name =~ /\\.$/) -> FALSE
(0) <thread> : ? if (User-Name =~ /\\.$/) -> FALSE
(0) <thread> : ? if (User-Name =~ /@\\./)
(0) <thread> : ? Evaluating (User-Name =~ /@\\./) -> FALSE
(0) <thread> : ? if (User-Name =~ /@\\./) -> FALSE
(0) <thread> : - policy filter_username returns notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix : Looking up realm "local" for User-Name = "@local"
(0) suffix : Found realm "LOCAL"
(0) suffix : Adding Stripped-User-Name = ""
(0) suffix : Adding Realm = "LOCAL"
(0) suffix : Authentication realm is LOCAL.
(0) [suffix] = ok
(0) eap : EAP packet type response id 0 length 11
(0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0) [eap] = ok
(0) Found Auth-Type = EAP
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0) group authenticate {
(0) - entering group authenticate {...}
(0) eap : EAP Identity
(0) eap : processing type ttls
(0) ttls : Flushing SSL sessions (of #0)
(0) ttls : Initiate
(0) ttls : Start returned 1
(0) eap : New EAP session, adding 'State' attribute to reply 0x712f0bd4712e1e61
(0) [eap] = handled
Sending Access-Challenge of id 0 from 0.0.0.0 port 2083 to 127.0.0.1 port 58839
EAP-Message = 0x010100061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x712f0bd4712e1e6167f66eff129f2ec3
(0) Finished request 0.
Thread 5 waiting to be assigned a request
Waking up in 0.3 seconds.
(0) Application data status 7
(0) tls_recv: Access-Request packet from host 127.0.0.1 port 58839, id=0, length=145
(0) Cleaning up request packet ID 0 with timestamp +6
Thread 4 got semaphore
Thread 4 handling request 1, (1 handled so far)
User-Name = "@local"
X-Ascend-FR-DCE-N393 = 1752134516
Attr-165 = 0x6d6f6f6e2d73657276
EAP-Message = 0x0201003e150016030100330100002f030151ac7abc8b36266ab11aedfd890b67fc81e9c0677271952682b8fcee96eff209000008002f000a000500040100
State = 0x712f0bd4712e1e6167f66eff129f2ec3
Message-Authenticator = 0xd5e3b4c19b81085113c86553b4a8538a
(1) <thread> : # Executing section authorize from file /etc/freeradius/sites-enabled/default
(1) <thread> : group authorize {
(1) <thread> : - entering group authorize {...}
(1) <thread> : policy filter_username {
(1) <thread> : - entering policy filter_username {...}
(1) <thread> : ? if (User-Name != "%{tolower:%{User-Name}}")
(1) <thread> : expand: '%{User-Name}' -> '@local'
(1) <thread> : expand: '%{tolower:%{User-Name}}' -> '@local'
(1) <thread> : ? Evaluating (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(1) <thread> : ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(1) <thread> : ? if (User-Name =~ / /)
(1) <thread> : ? Evaluating (User-Name =~ / /) -> FALSE
(1) <thread> : ? if (User-Name =~ / /) -> FALSE
(1) <thread> : ? if (User-Name =~ [log in to unmask]*@/ )
(1) <thread> : ? Evaluating (User-Name =~ [log in to unmask]*@/) -> FALSE
(1) <thread> : ? if (User-Name =~ [log in to unmask]*@/ ) -> FALSE
(1) <thread> : ? if (User-Name =~ /\\.\\./ )
(1) <thread> : ? Evaluating (User-Name =~ /\\.\\./) -> FALSE
(1) <thread> : ? if (User-Name =~ /\\.\\./ ) -> FALSE
(1) <thread> : ? if (User-Name =~ /\\.$/)
(1) <thread> : ? Evaluating (User-Name =~ /\\.$/) -> FALSE
(1) <thread> : ? if (User-Name =~ /\\.$/) -> FALSE
(1) <thread> : ? if (User-Name =~ /@\\./)
(1) <thread> : ? Evaluating (User-Name =~ /@\\./) -> FALSE
(1) <thread> : ? if (User-Name =~ /@\\./) -> FALSE
(1) <thread> : - policy filter_username returns notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix : Looking up realm "local" for User-Name = "@local"
(1) suffix : Found realm "LOCAL"
(1) suffix : Adding Stripped-User-Name = ""
(1) suffix : Adding Realm = "LOCAL"
(1) suffix : Authentication realm is LOCAL.
(1) [suffix] = ok
(1) eap : EAP packet type response id 1 length 62
(1) eap : Continuing tunnel setup.
(1) [eap] = ok
(1) Found Auth-Type = EAP
(1) # Executing group from file /etc/freeradius/sites-enabled/default
(1) group authenticate {
(1) - entering group authenticate {...}
(1) eap : Expiring EAP session with state 0x712f0bd4712e1e61
(1) eap : Finished EAP session with state 0x712f0bd4712e1e61
(1) eap : Previous EAP request found for state 0x712f0bd4712e1e61, released from the list
(1) eap : EAP/ttls
(1) eap : processing type ttls
(1) ttls : Authenticate
(1) ttls : processing EAP-TLS
(1) ttls : eaptls_verify returned 7
(1) ttls : Done initial handshake
(1) ttls : (other): before/accept initialization
(1) ttls : TLS_accept: before/accept initialization
(1) ttls : <<< TLS 1.0 Handshake [length 0033], ClientHello
(1) ttls : TLS_accept: SSLv3 read client hello A
(1) ttls : >>> TLS 1.0 Handshake [length 004a], ServerHello
(1) ttls : TLS_accept: SSLv3 write server hello A
(1) ttls : >>> TLS 1.0 Handshake [length 085e], Certificate
(1) ttls : TLS_accept: SSLv3 write certificate A
(1) ttls : >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
(1) ttls : TLS_accept: SSLv3 write server done A
(1) ttls : TLS_accept: SSLv3 flush data
(1) ttls : TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
(1) ttls : eaptls_process returned 13
(1) eap : New EAP session, adding 'State' attribute to reply 0x712f0bd4702d1e61
(1) [eap] = handled
Sending Access-Challenge of id 0 from 0.0.0.0 port 2083 to 127.0.0.1 port 58839
EAP-Message = 0x010203ec15c0000008bb160301004a02000046030151ac7abcccdc627431a459374e94be4b477b21b479483886113650c6dc464499200116a21c94250be83ee0f0ecdf3e5335ea73c6de4dc83c70cb5ebef766e33466002f00160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406035504
EAP-Message = 0x03131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3133303533303134313130375a170d3134303533303134313130375a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100a993f208d657dbf11bb1346873657c260f9a741393b5cff3e23ae663c38f
EAP-Message = 0xd82acb9faa77c012e7b92c30ba94d96c791c99e6636585b54f61324903da1cb93d72f6bfee05d41c708084bd0a94221367ac9415c29d1a83c28b2ca91d3b4dadc7eeb131936f695499aeac4ca2a723f3beed7b3f8be68e9d07b047ba546ce9cbe139ee1dc674950fb38ae5648ab151f1fee161e51d9bb9c516b9c1a2957f1dd7817d074f1bbb1cff90442ffde9be39ec71e6cfba0a4b435f0833b55cd18d8ce1f63f6978e1ac79e627f10b7f302f38769f52d59292d82deb69a4225788b6690f584d0034f27a285393bff81ed4f0fe9637c88f42a72a3b0a8d2d1b982e2e4d39b3a10203010001a317301530130603551d25040c300a06082b06010505
EAP-Message = 0x070301300d06092a864886f70d01010505000382010100b4809b4d8459576abeabea0ddf87501401c152f5ef8f0b045ab337b5f235ae06a40a700b9a4ce0f7a4a6b6558721a08befc1462fffd9667c9da796412252b19d0560923a1aaec15020fd3835392dca2c843bb194bf52dca206054209d20f9232a7990bf6bb8f1c05196d472b0775b5b11c49022b0a360768c07b4367d0970a308b14adb42512cfed2352fd936a389efb998a30214baa8b582bde1e08c352a4890811f40b1857ea16c0e98e19c2f07f8b21dcb5f4b77145cb904d2460fa70be1bfc08903e5af2078a0d34457d581bd6116886b7059b136972eeaaff0f607a
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x712f0bd4702d1e6167f66eff129f2ec3
(1) Finished request 1.
Thread 4 waiting to be assigned a request
Waking up in 0.3 seconds.
(0) Application data status 7
(0) tls_recv: Access-Request packet from host 127.0.0.1 port 58839, id=0, length=89
(1) Cleaning up request packet ID 0 with timestamp +6
Thread 3 got semaphore
Thread 3 handling request 2, (1 handled so far)
User-Name = "@local"
X-Ascend-FR-DCE-N393 = 1752134516
Attr-165 = 0x6d6f6f6e2d73657276
EAP-Message = 0x020200061500
State = 0x712f0bd4702d1e6167f66eff129f2ec3
Message-Authenticator = 0x17d5fd0e52b365059058dba254a2fc58
(2) <thread> : # Executing section authorize from file /etc/freeradius/sites-enabled/default
(2) <thread> : group authorize {
(2) <thread> : - entering group authorize {...}
(2) <thread> : policy filter_username {
(2) <thread> : - entering policy filter_username {...}
(2) <thread> : ? if (User-Name != "%{tolower:%{User-Name}}")
(2) <thread> : expand: '%{User-Name}' -> '@local'
(2) <thread> : expand: '%{tolower:%{User-Name}}' -> '@local'
(2) <thread> : ? Evaluating (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(2) <thread> : ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(2) <thread> : ? if (User-Name =~ / /)
(2) <thread> : ? Evaluating (User-Name =~ / /) -> FALSE
(2) <thread> : ? if (User-Name =~ / /) -> FALSE
(2) <thread> : ? if (User-Name =~ [log in to unmask]*@/ )
(2) <thread> : ? Evaluating (User-Name =~ [log in to unmask]*@/) -> FALSE
(2) <thread> : ? if (User-Name =~ [log in to unmask]*@/ ) -> FALSE
(2) <thread> : ? if (User-Name =~ /\\.\\./ )
(2) <thread> : ? Evaluating (User-Name =~ /\\.\\./) -> FALSE
(2) <thread> : ? if (User-Name =~ /\\.\\./ ) -> FALSE
(2) <thread> : ? if (User-Name =~ /\\.$/)
(2) <thread> : ? Evaluating (User-Name =~ /\\.$/) -> FALSE
(2) <thread> : ? if (User-Name =~ /\\.$/) -> FALSE
(2) <thread> : ? if (User-Name =~ /@\\./)
(2) <thread> : ? Evaluating (User-Name =~ /@\\./) -> FALSE
(2) <thread> : ? if (User-Name =~ /@\\./) -> FALSE
(2) <thread> : - policy filter_username returns notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix : Looking up realm "local" for User-Name = "@local"
(2) suffix : Found realm "LOCAL"
(2) suffix : Adding Stripped-User-Name = ""
(2) suffix : Adding Realm = "LOCAL"
(2) suffix : Authentication realm is LOCAL.
(2) [suffix] = ok
(2) eap : EAP packet type response id 2 length 6
(2) eap : Continuing tunnel setup.
(2) [eap] = ok
(2) Found Auth-Type = EAP
(2) # Executing group from file /etc/freeradius/sites-enabled/default
(2) group authenticate {
(2) - entering group authenticate {...}
(2) eap : Expiring EAP session with state 0x712f0bd4702d1e61
(2) eap : Finished EAP session with state 0x712f0bd4702d1e61
(2) eap : Previous EAP request found for state 0x712f0bd4702d1e61, released from the list
(2) eap : EAP/ttls
(2) eap : processing type ttls
(2) ttls : Authenticate
(2) ttls : processing EAP-TLS
(2) ttls : Received TLS ACK
(2) ttls : Received TLS ACK
(2) ttls : ACK handshake fragment handler
(2) ttls : eaptls_verify returned 1
(2) ttls : eaptls_process returned 13
(2) eap : New EAP session, adding 'State' attribute to reply 0x712f0bd4732c1e61
(2) [eap] = handled
Sending Access-Challenge of id 0 from 0.0.0.0 port 2083 to 127.0.0.1 port 58839
EAP-Message = 0x010303ec15c0000008bb93fcaded1ec36a99b78bdef5337a5a1e295f1f8cbf91e73ff8781af8475966e1dac90004ab308204a73082038fa003020102020900e3bdffa7131f5e6a300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3133303533303134313130375a
EAP-Message = 0x170d3134303533303134313130375a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100d5ea9c8daf3e209f46be890bd2e10399996255c5bc4c03a0311d9bf5c5ced1b53d45fb83317e691ea0c6f16b1bc26da8e088f3f08ada7c
EAP-Message = 0xcef1132f8927c0d21ab68a1f4d2bcce9bccf9d83f3040074ff0e95df381d185e55ec372430385d413e0a76ccf97348995e194dc66b4bfa7f6519a9d3f35b12c597ebd23e740af83506a253fad09db7bd2ea3b83d3e2de6473daec11a0ca6ca220c08b5e2e9fde0f74c4a3c9afc84559708c8ffb66e6ed870798169865fb69fc2f5a7b82b178a5d6de806aed15bce4da4cd907287b85d38bb1ac8b7fe118029a5ca89f6c18ec2b8812e50a94e7632d5f552fd80674ee243ebd369c69b665b06089c438d3cfc2b9d022d0203010001a381fb3081f8301d0603551d0e041604144bc9ef9fa77920584ee92214be643e1a5974e2233081c80603551d230481
EAP-Message = 0xc03081bd80144bc9ef9fa77920584ee92214be643e1a5974e223a18199a48196308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900e3bdffa7131f5e6a300c0603551d13040530030101ff300d06092a864886f70d0101050500038201010003f0b6fb1cc5dc0fb49e4f088643ec34c2bb
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x712f0bd4732c1e6167f66eff129f2ec3
(2) Finished request 2.
Thread 3 waiting to be assigned a request
Waking up in 0.3 seconds.
(0) Application data status 7
(0) tls_recv: Access-Request packet from host 127.0.0.1 port 58839, id=0, length=89
(2) Cleaning up request packet ID 0 with timestamp +6
Thread 2 got semaphore
Thread 2 handling request 3, (1 handled so far)
User-Name = "@local"
X-Ascend-FR-DCE-N393 = 1752134516
Attr-165 = 0x6d6f6f6e2d73657276
EAP-Message = 0x020300061500
State = 0x712f0bd4732c1e6167f66eff129f2ec3
Message-Authenticator = 0x0c2b6721f97ea1573af77fae84785634
(3) <thread> : # Executing section authorize from file /etc/freeradius/sites-enabled/default
(3) <thread> : group authorize {
(3) <thread> : - entering group authorize {...}
(3) <thread> : policy filter_username {
(3) <thread> : - entering policy filter_username {...}
(3) <thread> : ? if (User-Name != "%{tolower:%{User-Name}}")
(3) <thread> : expand: '%{User-Name}' -> '@local'
(3) <thread> : expand: '%{tolower:%{User-Name}}' -> '@local'
(3) <thread> : ? Evaluating (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(3) <thread> : ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(3) <thread> : ? if (User-Name =~ / /)
(3) <thread> : ? Evaluating (User-Name =~ / /) -> FALSE
(3) <thread> : ? if (User-Name =~ / /) -> FALSE
(3) <thread> : ? if (User-Name =~ [log in to unmask]*@/ )
(3) <thread> : ? Evaluating (User-Name =~ [log in to unmask]*@/) -> FALSE
(3) <thread> : ? if (User-Name =~ [log in to unmask]*@/ ) -> FALSE
(3) <thread> : ? if (User-Name =~ /\\.\\./ )
(3) <thread> : ? Evaluating (User-Name =~ /\\.\\./) -> FALSE
(3) <thread> : ? if (User-Name =~ /\\.\\./ ) -> FALSE
(3) <thread> : ? if (User-Name =~ /\\.$/)
(3) <thread> : ? Evaluating (User-Name =~ /\\.$/) -> FALSE
(3) <thread> : ? if (User-Name =~ /\\.$/) -> FALSE
(3) <thread> : ? if (User-Name =~ /@\\./)
(3) <thread> : ? Evaluating (User-Name =~ /@\\./) -> FALSE
(3) <thread> : ? if (User-Name =~ /@\\./) -> FALSE
(3) <thread> : - policy filter_username returns notfound
(3) [preprocess] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) suffix : Looking up realm "local" for User-Name = "@local"
(3) suffix : Found realm "LOCAL"
(3) suffix : Adding Stripped-User-Name = ""
(3) suffix : Adding Realm = "LOCAL"
(3) suffix : Authentication realm is LOCAL.
(3) [suffix] = ok
(3) eap : EAP packet type response id 3 length 6
(3) eap : Continuing tunnel setup.
(3) [eap] = ok
(3) Found Auth-Type = EAP
(3) # Executing group from file /etc/freeradius/sites-enabled/default
(3) group authenticate {
(3) - entering group authenticate {...}
(3) eap : Expiring EAP session with state 0x712f0bd4732c1e61
(3) eap : Finished EAP session with state 0x712f0bd4732c1e61
(3) eap : Previous EAP request found for state 0x712f0bd4732c1e61, released from the list
(3) eap : EAP/ttls
(3) eap : processing type ttls
(3) ttls : Authenticate
(3) ttls : processing EAP-TLS
(3) ttls : Received TLS ACK
(3) ttls : Received TLS ACK
(3) ttls : ACK handshake fragment handler
(3) ttls : eaptls_verify returned 1
(3) ttls : eaptls_process returned 13
(3) eap : New EAP session, adding 'State' attribute to reply 0x712f0bd4722b1e61
(3) [eap] = handled
Sending Access-Challenge of id 0 from 0.0.0.0 port 2083 to 127.0.0.1 port 58839
EAP-Message = 0x010401011580000008bb77cf2b6179633dfc14a708be43ee8e99ff69c82b00b9e976ba03769b750e1de50746da8c71dafeb0b6b3450bd2c716ad9083675251e0ebb18f1ad449400d88afd9339eb45578b8f3bed896192f81722e5859167baba7a3134b68a12f290215b293f3ef848663deb24f0358cb14282974d6bebbcba0c65cc4512de17e744ce9f72a0bb3ed8bd7fab96014e186e3f7bd4e5c891d6ce02fa2e4fdeda74f7cded4aafdd4947b4b41f724630b8b0c994e1ef947957ea66263b39a9e0ceab8ea6c58d39c7dcbd5d5f7fda8eceb565782ca6dd681d5a16f2651d743eacdb67db034d563a1104296a3d73a408cc7b2658bc61603010004
EAP-Message = 0x0e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x712f0bd4722b1e6167f66eff129f2ec3
(3) Finished request 3.
Thread 2 waiting to be assigned a request
Waking up in 0.3 seconds.
(0) Application data status 7
(0) tls_recv: Access-Request packet from host 127.0.0.1 port 58839, id=0, length=417
(3) Cleaning up request packet ID 0 with timestamp +6
Waking up in 0.3 seconds.
Thread 1 got semaphore
Thread 1 handling request 4, (1 handled so far)
User-Name = "@local"
X-Ascend-FR-DCE-N393 = 1752134516
Attr-165 = 0x6d6f6f6e2d73657276
EAP-Message = 0x0204014c150016030101061000010201000077af29cce0a9d2a84d9eda48eee3edb20e8e4c0703e507ba4a4919f6f8901e64ee457c90f3d010721eb0d568e81554a73722732e594f5755cc417d4fd97f7fab6084372e4ceb848dd71759506ecb45441812e3c01122e90bbac7d4210e1cefe4d332a91d9494023ecace79828c2f87bc2af9ec0ff8eb753226215b9c154fe0e604524d2f3b702746c010cf9933426ff73bb652f5c504812c5575bd7493c2d606b4dcd495cc2a0f7dd7dafbd861bc7ec0fe24f7f928ec3d925bd053d979f4289ad4f3ad8c6b0d125cea29e3c37bfab020954f3662659ccefda88fae4d5fb20bf0f0f9df91d3415c70a4856e
EAP-Message = 0x3a694f2e6062275cf8e46c26902269ef5e8edec31403010001011603010030d97c305b676cbaa292e0f708cb36f37f487b5da2a22efdcc4815eeb367dfc47c0da09082d122484a1e9fe2cb6dd00647
State = 0x712f0bd4722b1e6167f66eff129f2ec3
Message-Authenticator = 0xb4318cc18097a0c3b6ca334bb2888779
(4) <thread> : # Executing section authorize from file /etc/freeradius/sites-enabled/default
(4) <thread> : group authorize {
(4) <thread> : - entering group authorize {...}
(4) <thread> : policy filter_username {
(4) <thread> : - entering policy filter_username {...}
(4) <thread> : ? if (User-Name != "%{tolower:%{User-Name}}")
(4) <thread> : expand: '%{User-Name}' -> '@local'
(4) <thread> : expand: '%{tolower:%{User-Name}}' -> '@local'
(4) <thread> : ? Evaluating (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(4) <thread> : ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(4) <thread> : ? if (User-Name =~ / /)
(4) <thread> : ? Evaluating (User-Name =~ / /) -> FALSE
(4) <thread> : ? if (User-Name =~ / /) -> FALSE
(4) <thread> : ? if (User-Name =~ [log in to unmask]*@/ )
(4) <thread> : ? Evaluating (User-Name =~ [log in to unmask]*@/) -> FALSE
(4) <thread> : ? if (User-Name =~ [log in to unmask]*@/ ) -> FALSE
(4) <thread> : ? if (User-Name =~ /\\.\\./ )
(4) <thread> : ? Evaluating (User-Name =~ /\\.\\./) -> FALSE
(4) <thread> : ? if (User-Name =~ /\\.\\./ ) -> FALSE
(4) <thread> : ? if (User-Name =~ /\\.$/)
(4) <thread> : ? Evaluating (User-Name =~ /\\.$/) -> FALSE
(4) <thread> : ? if (User-Name =~ /\\.$/) -> FALSE
(4) <thread> : ? if (User-Name =~ /@\\./)
(4) <thread> : ? Evaluating (User-Name =~ /@\\./) -> FALSE
(4) <thread> : ? if (User-Name =~ /@\\./) -> FALSE
(4) <thread> : - policy filter_username returns notfound
(4) [preprocess] = ok
(4) [chap] = noop
(4) [mschap] = noop
(4) [digest] = noop
(4) suffix : Looking up realm "local" for User-Name = "@local"
(4) suffix : Found realm "LOCAL"
(4) suffix : Adding Stripped-User-Name = ""
(4) suffix : Adding Realm = "LOCAL"
(4) suffix : Authentication realm is LOCAL.
(4) [suffix] = ok
(4) eap : EAP packet type response id 4 length 253
(4) eap : Continuing tunnel setup.
(4) [eap] = ok
(4) Found Auth-Type = EAP
(4) # Executing group from file /etc/freeradius/sites-enabled/default
(4) group authenticate {
(4) - entering group authenticate {...}
(4) eap : Expiring EAP session with state 0x712f0bd4722b1e61
(4) eap : Finished EAP session with state 0x712f0bd4722b1e61
(4) eap : Previous EAP request found for state 0x712f0bd4722b1e61, released from the list
(4) eap : EAP/ttls
(4) eap : processing type ttls
(4) ttls : Authenticate
(4) ttls : processing EAP-TLS
(4) ttls : eaptls_verify returned 7
(4) ttls : Done initial handshake
(4) ttls : <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
(4) ttls : TLS_accept: SSLv3 read client key exchange A
(4) ttls : <<< TLS 1.0 ChangeCipherSpec [length 0001]
(4) ttls : <<< TLS 1.0 Handshake [length 0010], Finished
(4) ttls : TLS_accept: SSLv3 read finished A
(4) ttls : >>> TLS 1.0 ChangeCipherSpec [length 0001]
(4) ttls : TLS_accept: SSLv3 write change cipher spec A
(4) ttls : >>> TLS 1.0 Handshake [length 0010], Finished
(4) ttls : TLS_accept: SSLv3 write finished A
(4) ttls : TLS_accept: SSLv3 flush data
SSL: adding session 0116a21c94250be83ee0f0ecdf3e5335ea73c6de4dc83c70cb5ebef766e33466 to cache
(4) ttls : (other): SSL negotiation finished successfully
SSL Connection Established
(4) ttls : eaptls_process returned 13
(4) eap : New EAP session, adding 'State' attribute to reply 0x712f0bd4752a1e61
(4) [eap] = handled
Sending Access-Challenge of id 0 from 0.0.0.0 port 2083 to 127.0.0.1 port 58839
EAP-Message = 0x0105004515800000003b14030100010116030100309a8d459e4db1889c804a39398967936f10e8b00c533b668ec3da6a5e7d8f87deaa48222f4f4f3a5e3d9abcf41b85fd92
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x712f0bd4752a1e6167f66eff129f2ec3
(0) Application data status 7
(0) tls_recv: Access-Request packet from host 127.0.0.1 port 58839, id=0, length=142
(4) Waiting for child thread to stop
Waking up in 0.3 seconds.
Thread 5 got semaphore
Thread 5 handling request 5, (2 handled so far)
User-Name = "@local"
X-Ascend-FR-DCE-N393 = 1752134516
Attr-165 = 0x6d6f6f6e2d73657276
EAP-Message = 0x0205003b15001703010030c1003265c990d02afea3fd41923e47dd4236be00e616d2255546a57127df2873ca1cb7b488f469fb20a17ee8e91e65a5
State = 0x712f0bd4752a1e6167f66eff129f2ec3
Message-Authenticator = 0x192228e56da1620718788bf10c90b051
(5) <thread> : # Executing section authorize from file /etc/freeradius/sites-enabled/default
(5) <thread> : group authorize {
(5) <thread> : - entering group authorize {...}
(5) <thread> : policy filter_username {
(5) <thread> : - entering policy filter_username {...}
(5) <thread> : ? if (User-Name != "%{tolower:%{User-Name}}")
(5) <thread> : expand: '%{User-Name}' -> '@local'
(5) <thread> : expand: '%{tolower:%{User-Name}}' -> '@local'
(5) <thread> : ? Evaluating (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(5) <thread> : ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(5) <thread> : ? if (User-Name =~ / /)
(5) <thread> : ? Evaluating (User-Name =~ / /) -> FALSE
(5) <thread> : ? if (User-Name =~ / /) -> FALSE
(5) <thread> : ? if (User-Name =~ [log in to unmask]*@/ )
(5) <thread> : ? Evaluating (User-Name =~ [log in to unmask]*@/) -> FALSE
(5) <thread> : ? if (User-Name =~ [log in to unmask]*@/ ) -> FALSE
(5) <thread> : ? if (User-Name =~ /\\.\\./ )
(5) <thread> : ? Evaluating (User-Name =~ /\\.\\./) -> FALSE
(5) <thread> : ? if (User-Name =~ /\\.\\./ ) -> FALSE
(5) <thread> : ? if (User-Name =~ /\\.$/)
(5) <thread> : ? Evaluating (User-Name =~ /\\.$/) -> FALSE
(5) <thread> : ? if (User-Name =~ /\\.$/) -> FALSE
(5) <thread> : ? if (User-Name =~ /@\\./)
(5) <thread> : ? Evaluating (User-Name =~ /@\\./) -> FALSE
(5) <thread> : ? if (User-Name =~ /@\\./) -> FALSE
(5) <thread> : - policy filter_username returns notfound
(5) [preprocess] = ok
(5) [chap] = noop
(5) [mschap] = noop
(5) [digest] = noop
(5) suffix : Looking up realm "local" for User-Name = "@local"
(5) suffix : Found realm "LOCAL"
(5) suffix : Adding Stripped-User-Name = ""
(5) suffix : Adding Realm = "LOCAL"
(5) suffix : Authentication realm is LOCAL.
(5) [suffix] = ok
(5) eap : EAP packet type response id 5 length 59
(5) eap : Continuing tunnel setup.
(5) [eap] = ok
(5) Found Auth-Type = EAP
(5) # Executing group from file /etc/freeradius/sites-enabled/default
(5) group authenticate {
(5) - entering group authenticate {...}
(5) eap : Expiring EAP session with state 0x712f0bd4752a1e61
(5) eap : Finished EAP session with state 0x712f0bd4752a1e61
(5) eap : Previous EAP request found for state 0x712f0bd4752a1e61, released from the list
(5) eap : EAP/ttls
(5) eap : processing type ttls
(5) ttls : Authenticate
(5) ttls : processing EAP-TLS
(5) ttls : eaptls_verify returned 7
(5) ttls : Done initial handshake
(5) ttls : eaptls_process returned 7
(5) ttls : Session established. Proceeding to decode tunneled attributes.
(5) ttls : Got tunneled request
EAP-Message = 0x02000010017374657665406c6f63616c
FreeRADIUS-Proxied-To = 127.0.0.1
(5) ttls : Got tunneled identity of steve@local
(5) ttls : Setting default EAP type for tunneled EAP session.
(5) ttls : Sending tunneled request
EAP-Message = 0x02000010017374657665406c6f63616c
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "steve@local"
server inner-tunnel {
(5) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
(5) group authorize {
(5) - entering group authorize {...}
(5) [chap] = noop
(5) [mschap] = noop
(5) suffix : Looking up realm "local" for User-Name = "steve@local"
(5) suffix : Found realm "LOCAL"
(5) suffix : Adding Stripped-User-Name = "steve"
(5) suffix : Adding Realm = "LOCAL"
(5) suffix : Authentication realm is LOCAL.
(5) [suffix] = ok
(5) update control {
(5) } # update control = ok
(5) eap : EAP packet type response id 0 length 16
(5) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(5) [eap] = ok
(5) Found Auth-Type = EAP
(5) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(5) group authenticate {
(5) - entering group authenticate {...}
(5) eap : EAP Identity
(5) eap : processing type md5
rlm_eap_md5: Issuing Challenge
(5) eap : New EAP session, adding 'State' attribute to reply 0xee5d6e98ee5c6af2
(5) [eap] = handled
} # server inner-tunnel
(5) ttls : Got tunneled reply code 11
EAP-Message = 0x010100160410d7f85df0bea15eedcd903985f669ebe6
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xee5d6e98ee5c6af22253e9689b41e2ad
(5) ttls : Got tunneled Access-Challenge
(5) eap : New EAP session, adding 'State' attribute to reply 0x712f0bd474291e61
(5) [eap] = handled
Sending Access-Challenge of id 0 from 0.0.0.0 port 2083 to 127.0.0.1 port 58839
EAP-Message = 0x0106004f15800000004517030100406080e856337f109505b240c7b64b3413f939006da205d5b44997ddc11431574ca036852e5cbac19feb936fe31ec01eb58ed168d404811ece0a7852cc98970878
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x712f0bd474291e6167f66eff129f2ec3
(0) Application data status 7
(0) tls_recv: Access-Request packet from host 127.0.0.1 port 58839, id=0, length=158
(5) Waiting for child thread to stop
Waking up in 0.3 seconds.
Thread 4 got semaphore
Thread 4 handling request 6, (2 handled so far)
User-Name = "@local"
X-Ascend-FR-DCE-N393 = 1752134516
Attr-165 = 0x6d6f6f6e2d73657276
EAP-Message = 0x0206004b1500170301004091ae5e777f6630252a84c234d84a9cc6ccadf305a8a69f9557b6863b7a62b857301613ed3c46f9876184999c9fa6de9fde15c8b99201fb8edd39bb07c2ad2383
State = 0x712f0bd474291e6167f66eff129f2ec3
Message-Authenticator = 0x0d641e43933da89a653b04b2fe4530fa
(6) <thread> : # Executing section authorize from file /etc/freeradius/sites-enabled/default
(6) <thread> : group authorize {
(6) <thread> : - entering group authorize {...}
(6) <thread> : policy filter_username {
(6) <thread> : - entering policy filter_username {...}
(6) <thread> : ? if (User-Name != "%{tolower:%{User-Name}}")
(6) <thread> : expand: '%{User-Name}' -> '@local'
(6) <thread> : expand: '%{tolower:%{User-Name}}' -> '@local'
(6) <thread> : ? Evaluating (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(6) <thread> : ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(6) <thread> : ? if (User-Name =~ / /)
(6) <thread> : ? Evaluating (User-Name =~ / /) -> FALSE
(6) <thread> : ? if (User-Name =~ / /) -> FALSE
(6) <thread> : ? if (User-Name =~ [log in to unmask]*@/ )
(6) <thread> : ? Evaluating (User-Name =~ [log in to unmask]*@/) -> FALSE
(6) <thread> : ? if (User-Name =~ [log in to unmask]*@/ ) -> FALSE
(6) <thread> : ? if (User-Name =~ /\\.\\./ )
(6) <thread> : ? Evaluating (User-Name =~ /\\.\\./) -> FALSE
(6) <thread> : ? if (User-Name =~ /\\.\\./ ) -> FALSE
(6) <thread> : ? if (User-Name =~ /\\.$/)
(6) <thread> : ? Evaluating (User-Name =~ /\\.$/) -> FALSE
(6) <thread> : ? if (User-Name =~ /\\.$/) -> FALSE
(6) <thread> : ? if (User-Name =~ /@\\./)
(6) <thread> : ? Evaluating (User-Name =~ /@\\./) -> FALSE
(6) <thread> : ? if (User-Name =~ /@\\./) -> FALSE
(6) <thread> : - policy filter_username returns notfound
(6) [preprocess] = ok
(6) [chap] = noop
(6) [mschap] = noop
(6) [digest] = noop
(6) suffix : Looking up realm "local" for User-Name = "@local"
(6) suffix : Found realm "LOCAL"
(6) suffix : Adding Stripped-User-Name = ""
(6) suffix : Adding Realm = "LOCAL"
(6) suffix : Authentication realm is LOCAL.
(6) [suffix] = ok
(6) eap : EAP packet type response id 6 length 75
(6) eap : Continuing tunnel setup.
(6) [eap] = ok
(6) Found Auth-Type = EAP
(6) # Executing group from file /etc/freeradius/sites-enabled/default
(6) group authenticate {
(6) - entering group authenticate {...}
(6) eap : Expiring EAP session with state 0xee5d6e98ee5c6af2
(6) eap : Finished EAP session with state 0x712f0bd474291e61
(6) eap : Previous EAP request found for state 0x712f0bd474291e61, released from the list
(6) eap : EAP/ttls
(6) eap : processing type ttls
(6) ttls : Authenticate
(6) ttls : processing EAP-TLS
(6) ttls : eaptls_verify returned 7
(6) ttls : Done initial handshake
(6) ttls : eaptls_process returned 7
(6) ttls : Session established. Proceeding to decode tunneled attributes.
(6) ttls : Got tunneled request
EAP-Message = 0x020100160410a988c9cd197354461741bea6ebca9cb8
FreeRADIUS-Proxied-To = 127.0.0.1
(6) ttls : Sending tunneled request
EAP-Message = 0x020100160410a988c9cd197354461741bea6ebca9cb8
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "steve@local"
State = 0xee5d6e98ee5c6af22253e9689b41e2ad
server inner-tunnel {
(6) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
(6) group authorize {
(6) - entering group authorize {...}
(6) [chap] = noop
(6) [mschap] = noop
(6) suffix : Looking up realm "local" for User-Name = "steve@local"
(6) suffix : Found realm "LOCAL"
(6) suffix : Adding Stripped-User-Name = "steve"
(6) suffix : Adding Realm = "LOCAL"
(6) suffix : Authentication realm is LOCAL.
(6) [suffix] = ok
(6) update control {
(6) } # update control = ok
(6) eap : EAP packet type response id 1 length 22
(6) eap : No EAP Start, assuming it's an on-going EAP conversation
(6) [eap] = updated
(6) files : users: Matched entry steve at line 76
(6) [files] = ok
(6) [expiration] = noop
(6) [logintime] = noop
(6) WARNING: pap : Auth-Type already set. Not setting to PAP
(6) [pap] = noop
(6) Found Auth-Type = EAP
(6) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(6) group authenticate {
(6) - entering group authenticate {...}
(6) eap : Expiring EAP session with state 0xee5d6e98ee5c6af2
(6) eap : Finished EAP session with state 0xee5d6e98ee5c6af2
(6) eap : Previous EAP request found for state 0xee5d6e98ee5c6af2, released from the list
(6) eap : EAP/md5
(6) eap : processing type md5
(6) eap : Freeing handler
(6) [eap] = ok
(6) WARNING: Empty post-auth section. Using default return values.
(6) # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel
} # server inner-tunnel
(6) ttls : Got tunneled reply code 2
EAP-Message = 0x03010004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "steve"
(6) ttls : Got tunneled Access-Accept
(6) ttls : Saving session 0116a21c94250be83ee0f0ecdf3e5335ea73c6de4dc83c70cb5ebef766e33466 vps 0x8f96e38 in the cache
(6) eap : Freeing handler
rlm_eap_ttls: Freeing handler for user steve@local
(6) [eap] = ok
(6) # Executing section post-auth from file /etc/freeradius/sites-enabled/default
(6) group post-auth {
(6) - entering group post-auth {...}
(6) [exec] = noop
(6) policy remove_reply_message_if_eap {
(6) - entering policy remove_reply_message_if_eap {...}
(6) ? if (reply:EAP-Message && reply:Reply-Message)
(6) ? Evaluating (reply:EAP-Message ) -> TRUE
(6) ? Evaluating (reply:Reply-Message) -> FALSE
(6) ? if (reply:EAP-Message && reply:Reply-Message) -> FALSE
(6) else else {
(6) - entering else else {...}
(6) [noop] = noop
(6) - else else returns noop
(6) - policy remove_reply_message_if_eap returns noop
Sending Access-Accept of id 0 from 0.0.0.0 port 2083 to 127.0.0.1 port 58839
MS-MPPE-Recv-Key = 0x428b40281956f5ad89bbf4e515102874d350b7c1374e756e115e5f8e51ac9bf9
MS-MPPE-Send-Key = 0xba8de1bbc7c56706f20ad3fb08df661de0ec0ac8d55f3e0cea1b836607216251
Attr-26.6.122.4 = 0x1551ac7abc8b36266ab11aedfd890b67fc81e9c0677271952682b8fcee96eff20951ac7abcccdc627431a459374e94be4b477b21b479483886113650c6dc464499
EAP-Message = 0x03060004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = ""
WARNING: Skipping zero-length attribute User-Name
(5) Finished request 5.
Thread 5 waiting to be assigned a request
(6) Finished request 6.
Thread 4 waiting to be assigned a request
(4) Finished request 4.
Thread 1 waiting to be assigned a request
Client has closed connection
(6) Cleaning up request packet ID 0 with timestamp +6
... closing socket authentication from client (127.0.0.1, 58839) -> (*, 2083)
Waking up in 0.3 seconds.
... new connection request on TCP socket.
Listening on authentication from client (127.0.0.1, 58840) -> (*, 2083)
Waking up in 0.3 seconds.
(0) Requiring client certificate
(0) Initiate
(0) (other): before/accept initialization
(0) TLS_accept: before/accept initialization
(0) <<< TLS 1.0 Handshake [length 00dd], ClientHello
(0) TLS_accept: SSLv3 read client hello A
(0) >>> TLS 1.0 Handshake [length 003e], ServerHello
(0) TLS_accept: SSLv3 write server hello A
(0) >>> TLS 1.0 Handshake [length 085e], Certificate
(0) TLS_accept: SSLv3 write certificate A
(0) >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
(0) TLS_accept: SSLv3 write key exchange A
(0) >>> TLS 1.0 Handshake [length 00a6], CertificateRequest
(0) TLS_accept: SSLv3 write certificate request A
(0) TLS_accept: SSLv3 flush data
(0) TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
Waking up in 0.3 seconds.
(0) <<< TLS 1.0 Handshake [length 0853], Certificate
(0) chain-depth=1,
(0) error=0
(0) --> BUF-Name = Example Certificate Authority
(0) --> subject = /C=FR/ST=Radius/L=Somewhere/O=Example [log in to unmask] Certificate Authority
(0) --> issuer = /C=FR/ST=Radius/L=Somewhere/O=Example [log in to unmask] Certificate Authority
(0) --> verify return:1
(0) chain-depth=0,
(0) error=0
(0) --> BUF-Name = [log in to unmask]
(0) --> subject = /C=FR/ST=Radius/O=Example [log in to unmask]@example.com
(0) --> issuer = /C=FR/ST=Radius/L=Somewhere/O=Example [log in to unmask] Certificate Authority
(0) --> verify return:1
(0) TLS_accept: SSLv3 read client certificate A
(0) <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
(0) TLS_accept: SSLv3 read client key exchange A
(0) <<< TLS 1.0 Handshake [length 0106], CertificateVerify
(0) TLS_accept: SSLv3 read certificate verify A
(0) <<< TLS 1.0 ChangeCipherSpec [length 0001]
(0) <<< TLS 1.0 Handshake [length 0010], Finished
(0) TLS_accept: SSLv3 read finished A
(0) >>> TLS 1.0 ChangeCipherSpec [length 0001]
(0) TLS_accept: SSLv3 write change cipher spec A
(0) >>> TLS 1.0 Handshake [length 0010], Finished
(0) TLS_accept: SSLv3 write finished A
(0) TLS_accept: SSLv3 flush data
(0) (other): SSL negotiation finished successfully
SSL Connection Established
Waking up in 0.3 seconds.
(0) Application data status 7
(0) tls_recv: Access-Request packet from host 127.0.0.1 port 58840, id=0, length=76
Thread 3 got semaphore
Thread 3 handling request 7, (2 handled so far)
User-Name = "@local"
X-Ascend-FR-DCE-N393 = 1752134516
Attr-165 = 0x6d6f6f6e2d73657276
EAP-Message = 0x0200000b01406c6f63616c
Message-Authenticator = 0x5d826dd1d49be1e366f75ae2bf158a50
(7) <thread> : # Executing section authorize from file /etc/freeradius/sites-enabled/default
(7) <thread> : group authorize {
(7) <thread> : - entering group authorize {...}
(7) <thread> : policy filter_username {
(7) <thread> : - entering policy filter_username {...}
(7) <thread> : ? if (User-Name != "%{tolower:%{User-Name}}")
(7) <thread> : expand: '%{User-Name}' -> '@local'
(7) <thread> : expand: '%{tolower:%{User-Name}}' -> '@local'
(7) <thread> : ? Evaluating (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(7) <thread> : ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(7) <thread> : ? if (User-Name =~ / /)
(7) <thread> : ? Evaluating (User-Name =~ / /) -> FALSE
(7) <thread> : ? if (User-Name =~ / /) -> FALSE
(7) <thread> : ? if (User-Name =~ [log in to unmask]*@/ )
(7) <thread> : ? Evaluating (User-Name =~ [log in to unmask]*@/) -> FALSE
(7) <thread> : ? if (User-Name =~ [log in to unmask]*@/ ) -> FALSE
(7) <thread> : ? if (User-Name =~ /\\.\\./ )
(7) <thread> : ? Evaluating (User-Name =~ /\\.\\./) -> FALSE
(7) <thread> : ? if (User-Name =~ /\\.\\./ ) -> FALSE
(7) <thread> : ? if (User-Name =~ /\\.$/)
(7) <thread> : ? Evaluating (User-Name =~ /\\.$/) -> FALSE
(7) <thread> : ? if (User-Name =~ /\\.$/) -> FALSE
(7) <thread> : ? if (User-Name =~ /@\\./)
(7) <thread> : ? Evaluating (User-Name =~ /@\\./) -> FALSE
(7) <thread> : ? if (User-Name =~ /@\\./) -> FALSE
(7) <thread> : - policy filter_username returns notfound
(7) [preprocess] = ok
(7) [chap] = noop
(7) [mschap] = noop
(7) [digest] = noop
(7) suffix : Looking up realm "local" for User-Name = "@local"
(7) suffix : Found realm "LOCAL"
(7) suffix : Adding Stripped-User-Name = ""
(7) suffix : Adding Realm = "LOCAL"
(7) suffix : Authentication realm is LOCAL.
(7) [suffix] = ok
(7) eap : EAP packet type response id 0 length 11
(7) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(7) [eap] = ok
(7) Found Auth-Type = EAP
(7) # Executing group from file /etc/freeradius/sites-enabled/default
(7) group authenticate {
(7) - entering group authenticate {...}
(7) eap : EAP Identity
(7) eap : processing type ttls
(7) ttls : Initiate
(7) ttls : Start returned 1
(7) eap : New EAP session, adding 'State' attribute to reply 0x28fa568e28fb4330
(7) [eap] = handled
Sending Access-Challenge of id 0 from 0.0.0.0 port 2083 to 127.0.0.1 port 58840
EAP-Message = 0x010100061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x28fa568e28fb433021687027c00030ca
(7) Finished request 7.
Thread 3 waiting to be assigned a request
Waking up in 0.3 seconds.
(0) Application data status 7
(0) tls_recv: Access-Request packet from host 127.0.0.1 port 58840, id=0, length=145
(7) Cleaning up request packet ID 0 with timestamp +6
Thread 2 got semaphore
Thread 2 handling request 8, (2 handled so far)
User-Name = "@local"
X-Ascend-FR-DCE-N393 = 1752134516
Attr-165 = 0x6d6f6f6e2d73657276
EAP-Message = 0x0201003e150016030100330100002f030151ac7abcc32f85b420319d099d6352bfdc4ab54892c83e82b6bf39add4519f05000008002f000a000500040100
State = 0x28fa568e28fb433021687027c00030ca
Message-Authenticator = 0x7f2f77aec95054645fec6fcd56ac46ac
(8) <thread> : # Executing section authorize from file /etc/freeradius/sites-enabled/default
(8) <thread> : group authorize {
(8) <thread> : - entering group authorize {...}
(8) <thread> : policy filter_username {
(8) <thread> : - entering policy filter_username {...}
(8) <thread> : ? if (User-Name != "%{tolower:%{User-Name}}")
(8) <thread> : expand: '%{User-Name}' -> '@local'
(8) <thread> : expand: '%{tolower:%{User-Name}}' -> '@local'
(8) <thread> : ? Evaluating (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(8) <thread> : ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(8) <thread> : ? if (User-Name =~ / /)
(8) <thread> : ? Evaluating (User-Name =~ / /) -> FALSE
(8) <thread> : ? if (User-Name =~ / /) -> FALSE
(8) <thread> : ? if (User-Name =~ [log in to unmask]*@/ )
(8) <thread> : ? Evaluating (User-Name =~ [log in to unmask]*@/) -> FALSE
(8) <thread> : ? if (User-Name =~ [log in to unmask]*@/ ) -> FALSE
(8) <thread> : ? if (User-Name =~ /\\.\\./ )
(8) <thread> : ? Evaluating (User-Name =~ /\\.\\./) -> FALSE
(8) <thread> : ? if (User-Name =~ /\\.\\./ ) -> FALSE
(8) <thread> : ? if (User-Name =~ /\\.$/)
(8) <thread> : ? Evaluating (User-Name =~ /\\.$/) -> FALSE
(8) <thread> : ? if (User-Name =~ /\\.$/) -> FALSE
(8) <thread> : ? if (User-Name =~ /@\\./)
(8) <thread> : ? Evaluating (User-Name =~ /@\\./) -> FALSE
(8) <thread> : ? if (User-Name =~ /@\\./) -> FALSE
(8) <thread> : - policy filter_username returns notfound
(8) [preprocess] = ok
(8) [chap] = noop
(8) [mschap] = noop
(8) [digest] = noop
(8) suffix : Looking up realm "local" for User-Name = "@local"
(8) suffix : Found realm "LOCAL"
(8) suffix : Adding Stripped-User-Name = ""
(8) suffix : Adding Realm = "LOCAL"
(8) suffix : Authentication realm is LOCAL.
(8) [suffix] = ok
(8) eap : EAP packet type response id 1 length 62
(8) eap : Continuing tunnel setup.
(8) [eap] = ok
(8) Found Auth-Type = EAP
(8) # Executing group from file /etc/freeradius/sites-enabled/default
(8) group authenticate {
(8) - entering group authenticate {...}
(8) eap : Expiring EAP session with state 0x28fa568e28fb4330
(8) eap : Finished EAP session with state 0x28fa568e28fb4330
(8) eap : Previous EAP request found for state 0x28fa568e28fb4330, released from the list
(8) eap : EAP/ttls
(8) eap : processing type ttls
(8) ttls : Authenticate
(8) ttls : processing EAP-TLS
(8) ttls : eaptls_verify returned 7
(8) ttls : Done initial handshake
(8) ttls : (other): before/accept initialization
(8) ttls : TLS_accept: before/accept initialization
(8) ttls : <<< TLS 1.0 Handshake [length 0033], ClientHello
(8) ttls : TLS_accept: SSLv3 read client hello A
(8) ttls : >>> TLS 1.0 Handshake [length 004a], ServerHello
(8) ttls : TLS_accept: SSLv3 write server hello A
(8) ttls : >>> TLS 1.0 Handshake [length 085e], Certificate
(8) ttls : TLS_accept: SSLv3 write certificate A
(8) ttls : >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
(8) ttls : TLS_accept: SSLv3 write server done A
(8) ttls : TLS_accept: SSLv3 flush data
(8) ttls : TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
(8) ttls : eaptls_process returned 13
(8) eap : New EAP session, adding 'State' attribute to reply 0x28fa568e29f84330
(8) [eap] = handled
Sending Access-Challenge of id 0 from 0.0.0.0 port 2083 to 127.0.0.1 port 58840
EAP-Message = 0x010203ec15c0000008bb160301004a02000046030151ac7abc85177fdcac70b448e92458da737130bc5c6f3def76fe43569bbaadef203f7fcd9238b3eeab539d61ecb39154154a584d17ac4ce5e641f055bf071581f2002f00160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406035504
EAP-Message = 0x03131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3133303533303134313130375a170d3134303533303134313130375a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100a993f208d657dbf11bb1346873657c260f9a741393b5cff3e23ae663c38f
EAP-Message = 0xd82acb9faa77c012e7b92c30ba94d96c791c99e6636585b54f61324903da1cb93d72f6bfee05d41c708084bd0a94221367ac9415c29d1a83c28b2ca91d3b4dadc7eeb131936f695499aeac4ca2a723f3beed7b3f8be68e9d07b047ba546ce9cbe139ee1dc674950fb38ae5648ab151f1fee161e51d9bb9c516b9c1a2957f1dd7817d074f1bbb1cff90442ffde9be39ec71e6cfba0a4b435f0833b55cd18d8ce1f63f6978e1ac79e627f10b7f302f38769f52d59292d82deb69a4225788b6690f584d0034f27a285393bff81ed4f0fe9637c88f42a72a3b0a8d2d1b982e2e4d39b3a10203010001a317301530130603551d25040c300a06082b06010505
EAP-Message = 0x070301300d06092a864886f70d01010505000382010100b4809b4d8459576abeabea0ddf87501401c152f5ef8f0b045ab337b5f235ae06a40a700b9a4ce0f7a4a6b6558721a08befc1462fffd9667c9da796412252b19d0560923a1aaec15020fd3835392dca2c843bb194bf52dca206054209d20f9232a7990bf6bb8f1c05196d472b0775b5b11c49022b0a360768c07b4367d0970a308b14adb42512cfed2352fd936a389efb998a30214baa8b582bde1e08c352a4890811f40b1857ea16c0e98e19c2f07f8b21dcb5f4b77145cb904d2460fa70be1bfc08903e5af2078a0d34457d581bd6116886b7059b136972eeaaff0f607a
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x28fa568e29f8433021687027c00030ca
(8) Finished request 8.
Thread 2 waiting to be assigned a request
Waking up in 0.3 seconds.
(0) Application data status 7
(0) tls_recv: Access-Request packet from host 127.0.0.1 port 58840, id=0, length=89
(8) Cleaning up request packet ID 0 with timestamp +6
Thread 5 got semaphore
Thread 5 handling request 9, (3 handled so far)
User-Name = "@local"
X-Ascend-FR-DCE-N393 = 1752134516
Attr-165 = 0x6d6f6f6e2d73657276
EAP-Message = 0x020200061500
State = 0x28fa568e29f8433021687027c00030ca
Message-Authenticator = 0x04fb13cd38000a30aca3bc8adb069589
(9) <thread> : # Executing section authorize from file /etc/freeradius/sites-enabled/default
(9) <thread> : group authorize {
(9) <thread> : - entering group authorize {...}
(9) <thread> : policy filter_username {
(9) <thread> : - entering policy filter_username {...}
(9) <thread> : ? if (User-Name != "%{tolower:%{User-Name}}")
(9) <thread> : expand: '%{User-Name}' -> '@local'
(9) <thread> : expand: '%{tolower:%{User-Name}}' -> '@local'
(9) <thread> : ? Evaluating (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(9) <thread> : ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(9) <thread> : ? if (User-Name =~ / /)
(9) <thread> : ? Evaluating (User-Name =~ / /) -> FALSE
(9) <thread> : ? if (User-Name =~ / /) -> FALSE
(9) <thread> : ? if (User-Name =~ [log in to unmask]*@/ )
(9) <thread> : ? Evaluating (User-Name =~ [log in to unmask]*@/) -> FALSE
(9) <thread> : ? if (User-Name =~ [log in to unmask]*@/ ) -> FALSE
(9) <thread> : ? if (User-Name =~ /\\.\\./ )
(9) <thread> : ? Evaluating (User-Name =~ /\\.\\./) -> FALSE
(9) <thread> : ? if (User-Name =~ /\\.\\./ ) -> FALSE
(9) <thread> : ? if (User-Name =~ /\\.$/)
(9) <thread> : ? Evaluating (User-Name =~ /\\.$/) -> FALSE
(9) <thread> : ? if (User-Name =~ /\\.$/) -> FALSE
(9) <thread> : ? if (User-Name =~ /@\\./)
(9) <thread> : ? Evaluating (User-Name =~ /@\\./) -> FALSE
(9) <thread> : ? if (User-Name =~ /@\\./) -> FALSE
(9) <thread> : - policy filter_username returns notfound
(9) [preprocess] = ok
(9) [chap] = noop
(9) [mschap] = noop
(9) [digest] = noop
(9) suffix : Looking up realm "local" for User-Name = "@local"
(9) suffix : Found realm "LOCAL"
(9) suffix : Adding Stripped-User-Name = ""
(9) suffix : Adding Realm = "LOCAL"
(9) suffix : Authentication realm is LOCAL.
(9) [suffix] = ok
(9) eap : EAP packet type response id 2 length 6
(9) eap : Continuing tunnel setup.
(9) [eap] = ok
(9) Found Auth-Type = EAP
(9) # Executing group from file /etc/freeradius/sites-enabled/default
(9) group authenticate {
(9) - entering group authenticate {...}
(9) eap : Expiring EAP session with state 0x28fa568e29f84330
(9) eap : Finished EAP session with state 0x28fa568e29f84330
(9) eap : Previous EAP request found for state 0x28fa568e29f84330, released from the list
(9) eap : EAP/ttls
(9) eap : processing type ttls
(9) ttls : Authenticate
(9) ttls : processing EAP-TLS
(9) ttls : Received TLS ACK
(9) ttls : Received TLS ACK
(9) ttls : ACK handshake fragment handler
(9) ttls : eaptls_verify returned 1
(9) ttls : eaptls_process returned 13
(9) eap : New EAP session, adding 'State' attribute to reply 0x28fa568e2af94330
(9) [eap] = handled
Sending Access-Challenge of id 0 from 0.0.0.0 port 2083 to 127.0.0.1 port 58840
EAP-Message = 0x010303ec15c0000008bb93fcaded1ec36a99b78bdef5337a5a1e295f1f8cbf91e73ff8781af8475966e1dac90004ab308204a73082038fa003020102020900e3bdffa7131f5e6a300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3133303533303134313130375a
EAP-Message = 0x170d3134303533303134313130375a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100d5ea9c8daf3e209f46be890bd2e10399996255c5bc4c03a0311d9bf5c5ced1b53d45fb83317e691ea0c6f16b1bc26da8e088f3f08ada7c
EAP-Message = 0xcef1132f8927c0d21ab68a1f4d2bcce9bccf9d83f3040074ff0e95df381d185e55ec372430385d413e0a76ccf97348995e194dc66b4bfa7f6519a9d3f35b12c597ebd23e740af83506a253fad09db7bd2ea3b83d3e2de6473daec11a0ca6ca220c08b5e2e9fde0f74c4a3c9afc84559708c8ffb66e6ed870798169865fb69fc2f5a7b82b178a5d6de806aed15bce4da4cd907287b85d38bb1ac8b7fe118029a5ca89f6c18ec2b8812e50a94e7632d5f552fd80674ee243ebd369c69b665b06089c438d3cfc2b9d022d0203010001a381fb3081f8301d0603551d0e041604144bc9ef9fa77920584ee92214be643e1a5974e2233081c80603551d230481
EAP-Message = 0xc03081bd80144bc9ef9fa77920584ee92214be643e1a5974e223a18199a48196308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900e3bdffa7131f5e6a300c0603551d13040530030101ff300d06092a864886f70d0101050500038201010003f0b6fb1cc5dc0fb49e4f088643ec34c2bb
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x28fa568e2af9433021687027c00030ca
(9) Finished request 9.
Thread 5 waiting to be assigned a request
Waking up in 0.3 seconds.
(0) Application data status 7
(0) tls_recv: Access-Request packet from host 127.0.0.1 port 58840, id=0, length=89
(9) Cleaning up request packet ID 0 with timestamp +6
Thread 4 got semaphore
Thread 4 handling request 10, (3 handled so far)
User-Name = "@local"
X-Ascend-FR-DCE-N393 = 1752134516
Attr-165 = 0x6d6f6f6e2d73657276
EAP-Message = 0x020300061500
State = 0x28fa568e2af9433021687027c00030ca
Message-Authenticator = 0x4cd6ee0433986c30c3224162cbaed513
(10) <thread> : # Executing section authorize from file /etc/freeradius/sites-enabled/default
(10) <thread> : group authorize {
(10) <thread> : - entering group authorize {...}
(10) <thread> : policy filter_username {
(10) <thread> : - entering policy filter_username {...}
(10) <thread> : ? if (User-Name != "%{tolower:%{User-Name}}")
(10) <thread> : expand: '%{User-Name}' -> '@local'
(10) <thread> : expand: '%{tolower:%{User-Name}}' -> '@local'
(10) <thread> : ? Evaluating (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(10) <thread> : ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(10) <thread> : ? if (User-Name =~ / /)
(10) <thread> : ? Evaluating (User-Name =~ / /) -> FALSE
(10) <thread> : ? if (User-Name =~ / /) -> FALSE
(10) <thread> : ? if (User-Name =~ [log in to unmask]*@/ )
(10) <thread> : ? Evaluating (User-Name =~ [log in to unmask]*@/) -> FALSE
(10) <thread> : ? if (User-Name =~ [log in to unmask]*@/ ) -> FALSE
(10) <thread> : ? if (User-Name =~ /\\.\\./ )
(10) <thread> : ? Evaluating (User-Name =~ /\\.\\./) -> FALSE
(10) <thread> : ? if (User-Name =~ /\\.\\./ ) -> FALSE
(10) <thread> : ? if (User-Name =~ /\\.$/)
(10) <thread> : ? Evaluating (User-Name =~ /\\.$/) -> FALSE
(10) <thread> : ? if (User-Name =~ /\\.$/) -> FALSE
(10) <thread> : ? if (User-Name =~ /@\\./)
(10) <thread> : ? Evaluating (User-Name =~ /@\\./) -> FALSE
(10) <thread> : ? if (User-Name =~ /@\\./) -> FALSE
(10) <thread> : - policy filter_username returns notfound
(10) [preprocess] = ok
(10) [chap] = noop
(10) [mschap] = noop
(10) [digest] = noop
(10) suffix : Looking up realm "local" for User-Name = "@local"
(10) suffix : Found realm "LOCAL"
(10) suffix : Adding Stripped-User-Name = ""
(10) suffix : Adding Realm = "LOCAL"
(10) suffix : Authentication realm is LOCAL.
(10) [suffix] = ok
(10) eap : EAP packet type response id 3 length 6
(10) eap : Continuing tunnel setup.
(10) [eap] = ok
(10) Found Auth-Type = EAP
(10) # Executing group from file /etc/freeradius/sites-enabled/default
(10) group authenticate {
(10) - entering group authenticate {...}
(10) eap : Expiring EAP session with state 0x28fa568e2af94330
(10) eap : Finished EAP session with state 0x28fa568e2af94330
(10) eap : Previous EAP request found for state 0x28fa568e2af94330, released from the list
(10) eap : EAP/ttls
(10) eap : processing type ttls
(10) ttls : Authenticate
(10) ttls : processing EAP-TLS
(10) ttls : Received TLS ACK
(10) ttls : Received TLS ACK
(10) ttls : ACK handshake fragment handler
(10) ttls : eaptls_verify returned 1
(10) ttls : eaptls_process returned 13
(10) eap : New EAP session, adding 'State' attribute to reply 0x28fa568e2bfe4330
(10) [eap] = handled
Sending Access-Challenge of id 0 from 0.0.0.0 port 2083 to 127.0.0.1 port 58840
EAP-Message = 0x010401011580000008bb77cf2b6179633dfc14a708be43ee8e99ff69c82b00b9e976ba03769b750e1de50746da8c71dafeb0b6b3450bd2c716ad9083675251e0ebb18f1ad449400d88afd9339eb45578b8f3bed896192f81722e5859167baba7a3134b68a12f290215b293f3ef848663deb24f0358cb14282974d6bebbcba0c65cc4512de17e744ce9f72a0bb3ed8bd7fab96014e186e3f7bd4e5c891d6ce02fa2e4fdeda74f7cded4aafdd4947b4b41f724630b8b0c994e1ef947957ea66263b39a9e0ceab8ea6c58d39c7dcbd5d5f7fda8eceb565782ca6dd681d5a16f2651d743eacdb67db034d563a1104296a3d73a408cc7b2658bc61603010004
EAP-Message = 0x0e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x28fa568e2bfe433021687027c00030ca
(10) Finished request 10.
Thread 4 waiting to be assigned a request
Waking up in 0.3 seconds.
(0) Application data status 7
(0) tls_recv: Access-Request packet from host 127.0.0.1 port 58840, id=0, length=417
(10) Cleaning up request packet ID 0 with timestamp +6
Waking up in 0.3 seconds.
Thread 1 got semaphore
Thread 1 handling request 11, (2 handled so far)
User-Name = "@local"
X-Ascend-FR-DCE-N393 = 1752134516
Attr-165 = 0x6d6f6f6e2d73657276
EAP-Message = 0x0204014c1500160301010610000102010026c60a35cf9eb948cbe52216121fc33c6f5f526b78caa0fba31d3880090549ed8ab9c0ff2fbc972cbbe5ea089dd65d5107afbc7470da38fef28157774eada389c5b46e39aca8ca077448288bf1d86b32362dd0fcf11b7da8eaf3c6f87f7a677e18871582e72e76bee9f82f47b318c16107fb0f48490674fcac7c2218561029181dfda86a18840b2a9689f64029988852edb24786bba717b102797b6f5e3e2123db49d9520783986660742a5cde6a34ba743d4e80e7848ab451f3a290040608e4f1e7a6d123678e4dfd6593ebbabb14e172cbc39880d13e14b58f77d64ef9d78c0589a56287d98a24913e090b
EAP-Message = 0xc5230ce1b7811928b0e273d232698dab3c6077c71403010001011603010030e1e1b18ff5220cba3dee3fd6c2ae2617a516db147c00bbbf73ad83a308d42e66771f16aece1345708bf6dc2803c6cb9b
State = 0x28fa568e2bfe433021687027c00030ca
Message-Authenticator = 0xaf6f76e0c61a104a839d69ba88cc5fa4
(11) <thread> : # Executing section authorize from file /etc/freeradius/sites-enabled/default
(11) <thread> : group authorize {
(11) <thread> : - entering group authorize {...}
(11) <thread> : policy filter_username {
(11) <thread> : - entering policy filter_username {...}
(11) <thread> : ? if (User-Name != "%{tolower:%{User-Name}}")
(11) <thread> : expand: '%{User-Name}' -> '@local'
(11) <thread> : expand: '%{tolower:%{User-Name}}' -> '@local'
(11) <thread> : ? Evaluating (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(11) <thread> : ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(11) <thread> : ? if (User-Name =~ / /)
(11) <thread> : ? Evaluating (User-Name =~ / /) -> FALSE
(11) <thread> : ? if (User-Name =~ / /) -> FALSE
(11) <thread> : ? if (User-Name =~ [log in to unmask]*@/ )
(11) <thread> : ? Evaluating (User-Name =~ [log in to unmask]*@/) -> FALSE
(11) <thread> : ? if (User-Name =~ [log in to unmask]*@/ ) -> FALSE
(11) <thread> : ? if (User-Name =~ /\\.\\./ )
(11) <thread> : ? Evaluating (User-Name =~ /\\.\\./) -> FALSE
(11) <thread> : ? if (User-Name =~ /\\.\\./ ) -> FALSE
(11) <thread> : ? if (User-Name =~ /\\.$/)
(11) <thread> : ? Evaluating (User-Name =~ /\\.$/) -> FALSE
(11) <thread> : ? if (User-Name =~ /\\.$/) -> FALSE
(11) <thread> : ? if (User-Name =~ /@\\./)
(11) <thread> : ? Evaluating (User-Name =~ /@\\./) -> FALSE
(11) <thread> : ? if (User-Name =~ /@\\./) -> FALSE
(11) <thread> : - policy filter_username returns notfound
(11) [preprocess] = ok
(11) [chap] = noop
(11) [mschap] = noop
(11) [digest] = noop
(11) suffix : Looking up realm "local" for User-Name = "@local"
(11) suffix : Found realm "LOCAL"
(11) suffix : Adding Stripped-User-Name = ""
(11) suffix : Adding Realm = "LOCAL"
(11) suffix : Authentication realm is LOCAL.
(11) [suffix] = ok
(11) eap : EAP packet type response id 4 length 253
(11) eap : Continuing tunnel setup.
(11) [eap] = ok
(11) Found Auth-Type = EAP
(11) # Executing group from file /etc/freeradius/sites-enabled/default
(11) group authenticate {
(11) - entering group authenticate {...}
(11) eap : Expiring EAP session with state 0x28fa568e2bfe4330
(11) eap : Finished EAP session with state 0x28fa568e2bfe4330
(11) eap : Previous EAP request found for state 0x28fa568e2bfe4330, released from the list
(11) eap : EAP/ttls
(11) eap : processing type ttls
(11) ttls : Authenticate
(11) ttls : processing EAP-TLS
(11) ttls : eaptls_verify returned 7
(11) ttls : Done initial handshake
(11) ttls : <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
(11) ttls : TLS_accept: SSLv3 read client key exchange A
(11) ttls : <<< TLS 1.0 ChangeCipherSpec [length 0001]
(11) ttls : <<< TLS 1.0 Handshake [length 0010], Finished
(11) ttls : TLS_accept: SSLv3 read finished A
(11) ttls : >>> TLS 1.0 ChangeCipherSpec [length 0001]
(11) ttls : TLS_accept: SSLv3 write change cipher spec A
(11) ttls : >>> TLS 1.0 Handshake [length 0010], Finished
(11) ttls : TLS_accept: SSLv3 write finished A
(11) ttls : TLS_accept: SSLv3 flush data
SSL: adding session 3f7fcd9238b3eeab539d61ecb39154154a584d17ac4ce5e641f055bf071581f2 to cache
(11) ttls : (other): SSL negotiation finished successfully
SSL Connection Established
(11) ttls : eaptls_process returned 13
(11) eap : New EAP session, adding 'State' attribute to reply 0x28fa568e2cff4330
(11) [eap] = handled
Sending Access-Challenge of id 0 from 0.0.0.0 port 2083 to 127.0.0.1 port 58840
EAP-Message = 0x0105004515800000003b14030100010116030100304e4e8d049c4af373f586c331a49164c3d58b468026f99d39a51524f2cb3e7d90f35eb0c6af71b5cebc4ae4b5ef2091c4
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x28fa568e2cff433021687027c00030ca
(0) Application data status 7
(0) tls_recv: Access-Request packet from host 127.0.0.1 port 58840, id=0, length=142
(11) Waiting for child thread to stop
Waking up in 0.2 seconds.
Thread 3 got semaphore
Thread 3 handling request 12, (3 handled so far)
User-Name = "@local"
X-Ascend-FR-DCE-N393 = 1752134516
Attr-165 = 0x6d6f6f6e2d73657276
EAP-Message = 0x0205003b15001703010030959489a5598d9fa05adfe2daee1c18292a5918d3325789e04d83fe0ce9083aa20caee3ee8090cc51c9be5dd595a9daa4
State = 0x28fa568e2cff433021687027c00030ca
Message-Authenticator = 0xc47489fb3839af51207d9f8a33d08901
(12) <thread> : # Executing section authorize from file /etc/freeradius/sites-enabled/default
(12) <thread> : group authorize {
(12) <thread> : - entering group authorize {...}
(12) <thread> : policy filter_username {
(12) <thread> : - entering policy filter_username {...}
(12) <thread> : ? if (User-Name != "%{tolower:%{User-Name}}")
(12) <thread> : expand: '%{User-Name}' -> '@local'
(12) <thread> : expand: '%{tolower:%{User-Name}}' -> '@local'
(12) <thread> : ? Evaluating (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(12) <thread> : ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(12) <thread> : ? if (User-Name =~ / /)
(12) <thread> : ? Evaluating (User-Name =~ / /) -> FALSE
(12) <thread> : ? if (User-Name =~ / /) -> FALSE
(12) <thread> : ? if (User-Name =~ [log in to unmask]*@/ )
(12) <thread> : ? Evaluating (User-Name =~ [log in to unmask]*@/) -> FALSE
(12) <thread> : ? if (User-Name =~ [log in to unmask]*@/ ) -> FALSE
(12) <thread> : ? if (User-Name =~ /\\.\\./ )
(12) <thread> : ? Evaluating (User-Name =~ /\\.\\./) -> FALSE
(12) <thread> : ? if (User-Name =~ /\\.\\./ ) -> FALSE
(12) <thread> : ? if (User-Name =~ /\\.$/)
(12) <thread> : ? Evaluating (User-Name =~ /\\.$/) -> FALSE
(12) <thread> : ? if (User-Name =~ /\\.$/) -> FALSE
(12) <thread> : ? if (User-Name =~ /@\\./)
(12) <thread> : ? Evaluating (User-Name =~ /@\\./) -> FALSE
(12) <thread> : ? if (User-Name =~ /@\\./) -> FALSE
(12) <thread> : - policy filter_username returns notfound
(12) [preprocess] = ok
(12) [chap] = noop
(12) [mschap] = noop
(12) [digest] = noop
(12) suffix : Looking up realm "local" for User-Name = "@local"
(12) suffix : Found realm "LOCAL"
(12) suffix : Adding Stripped-User-Name = ""
(12) suffix : Adding Realm = "LOCAL"
(12) suffix : Authentication realm is LOCAL.
(12) [suffix] = ok
(12) eap : EAP packet type response id 5 length 59
(12) eap : Continuing tunnel setup.
(12) [eap] = ok
(12) Found Auth-Type = EAP
(12) # Executing group from file /etc/freeradius/sites-enabled/default
(12) group authenticate {
(12) - entering group authenticate {...}
(12) eap : Expiring EAP session with state 0x28fa568e2cff4330
(12) eap : Finished EAP session with state 0x28fa568e2cff4330
(12) eap : Previous EAP request found for state 0x28fa568e2cff4330, released from the list
(12) eap : EAP/ttls
(12) eap : processing type ttls
(12) ttls : Authenticate
(12) ttls : processing EAP-TLS
(12) ttls : eaptls_verify returned 7
(12) ttls : Done initial handshake
(12) ttls : eaptls_process returned 7
(12) ttls : Session established. Proceeding to decode tunneled attributes.
(12) ttls : Got tunneled request
EAP-Message = 0x02000010017374657665406c6f63616c
FreeRADIUS-Proxied-To = 127.0.0.1
(12) ttls : Got tunneled identity of steve@local
(12) ttls : Setting default EAP type for tunneled EAP session.
(12) ttls : Sending tunneled request
EAP-Message = 0x02000010017374657665406c6f63616c
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "steve@local"
server inner-tunnel {
(12) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
(12) group authorize {
(12) - entering group authorize {...}
(12) [chap] = noop
(12) [mschap] = noop
(12) suffix : Looking up realm "local" for User-Name = "steve@local"
(12) suffix : Found realm "LOCAL"
(12) suffix : Adding Stripped-User-Name = "steve"
(12) suffix : Adding Realm = "LOCAL"
(12) suffix : Authentication realm is LOCAL.
(12) [suffix] = ok
(12) update control {
(12) } # update control = ok
(12) eap : EAP packet type response id 0 length 16
(12) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(12) [eap] = ok
(12) Found Auth-Type = EAP
(12) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(12) group authenticate {
(12) - entering group authenticate {...}
(12) eap : EAP Identity
(12) eap : processing type md5
rlm_eap_md5: Issuing Challenge
(12) eap : New EAP session, adding 'State' attribute to reply 0x3dddb3353ddcb7c4
(12) [eap] = handled
} # server inner-tunnel
(12) ttls : Got tunneled reply code 11
EAP-Message = 0x0101001604103814a88df7881b538dfdff12a32cee88
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x3dddb3353ddcb7c4d0a0f845866d8e6f
(12) ttls : Got tunneled Access-Challenge
(12) eap : New EAP session, adding 'State' attribute to reply 0x28fa568e2dfc4330
(12) [eap] = handled
Sending Access-Challenge of id 0 from 0.0.0.0 port 2083 to 127.0.0.1 port 58840
EAP-Message = 0x0106004f1580000000451703010040f61bda8f4f71fa78eef593c026219ea4976733338f986e846d66af31f355afde3209debbc4c264cfb3f33590d96c4773f5c22f64d6aad9ab9dffa123288381e6
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x28fa568e2dfc433021687027c00030ca
(12) Finished request 12.
Thread 3 waiting to be assigned a request
(0) Application data status 7
(0) tls_recv: Access-Request packet from host 127.0.0.1 port 58840, id=0, length=158
(12) Cleaning up request packet ID 0 with timestamp +6
Waking up in 0.2 seconds.
Thread 2 got semaphore
Thread 2 handling request 13, (3 handled so far)
User-Name = "@local"
X-Ascend-FR-DCE-N393 = 1752134516
Attr-165 = 0x6d6f6f6e2d73657276
EAP-Message = 0x0206004b15001703010040a0232e7e8cd3f31285f0cc2137837d9341a6417c1aa08cc4ca98af8f3e16b99661bc02288d020e372f8217ed414a6c0d8b146c398f12e7b76c2744b4eb2164e4
State = 0x28fa568e2dfc433021687027c00030ca
Message-Authenticator = 0x3defb45a87b27e436b7c70bbe02a48bb
(13) <thread> : # Executing section authorize from file /etc/freeradius/sites-enabled/default
(13) <thread> : group authorize {
(13) <thread> : - entering group authorize {...}
(13) <thread> : policy filter_username {
(13) <thread> : - entering policy filter_username {...}
(13) <thread> : ? if (User-Name != "%{tolower:%{User-Name}}")
(13) <thread> : expand: '%{User-Name}' -> '@local'
(13) <thread> : expand: '%{tolower:%{User-Name}}' -> '@local'
(13) <thread> : ? Evaluating (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(13) <thread> : ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(13) <thread> : ? if (User-Name =~ / /)
(13) <thread> : ? Evaluating (User-Name =~ / /) -> FALSE
(13) <thread> : ? if (User-Name =~ / /) -> FALSE
(13) <thread> : ? if (User-Name =~ [log in to unmask]*@/ )
(13) <thread> : ? Evaluating (User-Name =~ [log in to unmask]*@/) -> FALSE
(13) <thread> : ? if (User-Name =~ [log in to unmask]*@/ ) -> FALSE
(13) <thread> : ? if (User-Name =~ /\\.\\./ )
(13) <thread> : ? Evaluating (User-Name =~ /\\.\\./) -> FALSE
(13) <thread> : ? if (User-Name =~ /\\.\\./ ) -> FALSE
(13) <thread> : ? if (User-Name =~ /\\.$/)
(13) <thread> : ? Evaluating (User-Name =~ /\\.$/) -> FALSE
(13) <thread> : ? if (User-Name =~ /\\.$/) -> FALSE
(13) <thread> : ? if (User-Name =~ /@\\./)
(13) <thread> : ? Evaluating (User-Name =~ /@\\./) -> FALSE
(13) <thread> : ? if (User-Name =~ /@\\./) -> FALSE
(13) <thread> : - policy filter_username returns notfound
(13) [preprocess] = ok
(13) [chap] = noop
(13) [mschap] = noop
(13) [digest] = noop
(13) suffix : Looking up realm "local" for User-Name = "@local"
(13) suffix : Found realm "LOCAL"
(13) suffix : Adding Stripped-User-Name = ""
(13) suffix : Adding Realm = "LOCAL"
(13) suffix : Authentication realm is LOCAL.
(13) [suffix] = ok
(13) eap : EAP packet type response id 6 length 75
(13) eap : Continuing tunnel setup.
(13) [eap] = ok
(13) Found Auth-Type = EAP
(13) # Executing group from file /etc/freeradius/sites-enabled/default
(13) group authenticate {
(13) - entering group authenticate {...}
(13) eap : Expiring EAP session with state 0x3dddb3353ddcb7c4
(13) eap : Finished EAP session with state 0x28fa568e2dfc4330
(13) eap : Previous EAP request found for state 0x28fa568e2dfc4330, released from the list
(13) eap : EAP/ttls
(13) eap : processing type ttls
(13) ttls : Authenticate
(13) ttls : processing EAP-TLS
(13) ttls : eaptls_verify returned 7
(13) ttls : Done initial handshake
(13) ttls : eaptls_process returned 7
(13) ttls : Session established. Proceeding to decode tunneled attributes.
(13) ttls : Got tunneled request
EAP-Message = 0x02010016041090b94bfba6739be0f61dd14d2df199a2
FreeRADIUS-Proxied-To = 127.0.0.1
(13) ttls : Sending tunneled request
EAP-Message = 0x02010016041090b94bfba6739be0f61dd14d2df199a2
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "steve@local"
State = 0x3dddb3353ddcb7c4d0a0f845866d8e6f
server inner-tunnel {
(13) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
(13) group authorize {
(13) - entering group authorize {...}
(13) [chap] = noop
(13) [mschap] = noop
(13) suffix : Looking up realm "local" for User-Name = "steve@local"
(13) suffix : Found realm "LOCAL"
(13) suffix : Adding Stripped-User-Name = "steve"
(13) suffix : Adding Realm = "LOCAL"
(13) suffix : Authentication realm is LOCAL.
(13) [suffix] = ok
(13) update control {
(13) } # update control = ok
(13) eap : EAP packet type response id 1 length 22
(13) eap : No EAP Start, assuming it's an on-going EAP conversation
(13) [eap] = updated
(13) files : users: Matched entry steve at line 76
(13) [files] = ok
(13) [expiration] = noop
(13) [logintime] = noop
(13) WARNING: pap : Auth-Type already set. Not setting to PAP
(13) [pap] = noop
(13) Found Auth-Type = EAP
(13) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(13) group authenticate {
(13) - entering group authenticate {...}
(13) eap : Expiring EAP session with state 0x3dddb3353ddcb7c4
(13) eap : Finished EAP session with state 0x3dddb3353ddcb7c4
(13) eap : Previous EAP request found for state 0x3dddb3353ddcb7c4, released from the list
(13) eap : EAP/md5
(13) eap : processing type md5
(13) eap : Freeing handler
(13) [eap] = ok
(13) WARNING: Empty post-auth section. Using default return values.
(13) # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel
} # server inner-tunnel
(13) ttls : Got tunneled reply code 2
EAP-Message = 0x03010004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "steve"
(13) ttls : Got tunneled Access-Accept
(13) ttls : Saving session 3f7fcd9238b3eeab539d61ecb39154154a584d17ac4ce5e641f055bf071581f2 vps 0x8f9ecd0 in the cache
(13) eap : Freeing handler
rlm_eap_ttls: Freeing handler for user steve@local
(13) [eap] = ok
(13) # Executing section post-auth from file /etc/freeradius/sites-enabled/default
(13) group post-auth {
(13) - entering group post-auth {...}
(13) [exec] = noop
(13) policy remove_reply_message_if_eap {
(13) - entering policy remove_reply_message_if_eap {...}
(13) ? if (reply:EAP-Message && reply:Reply-Message)
(13) ? Evaluating (reply:EAP-Message ) -> TRUE
(13) ? Evaluating (reply:Reply-Message) -> FALSE
(13) ? if (reply:EAP-Message && reply:Reply-Message) -> FALSE
(13) else else {
(13) - entering else else {...}
(13) [noop] = noop
(13) - else else returns noop
(13) - policy remove_reply_message_if_eap returns noop
Sending Access-Accept of id 0 from 0.0.0.0 port 2083 to 127.0.0.1 port 58840
MS-MPPE-Recv-Key = 0xa186824e62dc0263969afd340e8226ebac0f192613636059a6bd6ea6aeb1110f
MS-MPPE-Send-Key = 0x41e16c84d12747a5f5d80c7ea2917bb7d3f074ebc7f17ef55b63f83b996448a2
Attr-26.6.122.4 = 0x1551ac7abcc32f85b420319d099d6352bfdc4ab54892c83e82b6bf39add4519f0551ac7abc85177fdcac70b448e92458da737130bc5c6f3def76fe43569bbaadef
EAP-Message = 0x03060004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = ""
WARNING: Skipping zero-length attribute User-Name
(13) Finished request 13.
Thread 2 waiting to be assigned a request
Client has closed connection
(13) Cleaning up request packet ID 0 with timestamp +6
... closing socket authentication from client (127.0.0.1, 58840) -> (*, 2083)
Waking up in 0.2 seconds.
(11) Finished request 11.
Thread 1 waiting to be assigned a request
(4) Cleaning up request packet ID -1 with timestamp +6
Aborted
|