Hi Dave, Do you have the following in your post-auth section for your default server (or the one that your SSH server tries to authenticate against): update reply { SAML-AAA-Assertion = '<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" IssueInstant="2011-03-19T08:30:00Z" ID="foo" Version="2.0">' SAML-AAA-Assertion += '<saml:Issuer>urn:mace:incommon:osu.edu</saml:Issuer>' SAML-AAA-Assertion += '<saml:AttributeStatement>' SAML-AAA-Assertion += '<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6">' SAML-AAA-Assertion += "<saml:AttributeValue>[log in to unmask]</saml:AttributeValue>" SAML-AAA-Assertion += '</saml:Attribute>' SAML-AAA-Assertion += '<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7">' SAML-AAA-Assertion += "<saml:AttributeValue>moonshot</saml:AttributeValue>" SAML-AAA-Assertion += '</saml:Attribute>' SAML-AAA-Assertion += '</saml:AttributeStatement>' SAML-AAA-Assertion += '</saml:Assertion>' } I don't see that in the Access-Accept packets from the RADIUS server? Regards Stefan -----Original Message----- From: Moonshot community list [mailto:[log in to unmask]] On Behalf Of Dave Lewney Sent: 03 June 2013 12:21 To: [log in to unmask] Subject: Testing Live DVD pilot release 2 SYNOPSIS GSS ok SSH - using long hostname (hostname -f), no radius activity - using shortname causes freeradius to crash Using the install and testing notes all was ok up to and including 5.1 (Testing gss-client and gss-server) Moving on to "Testing SSH" ... dml@moon-serv:/etc/ssh$ id moonshot uid=1001(moonshot) gid=1001(moonshot) groups=1001(moonshot) Using FQDN, dml@moon-serv:/etc/ssh$ hostname -f moon-serv.uscs.susx.ac.uk dml@moon-serv:/etc/ssh$ ssh [log in to unmask] [log in to unmask] password: ... and nothing shown in the freeradius debug log. Using shortname woke up radius and all appears to be going well, but ... dml@moon-serv:/etc/ssh$ ssh moonshot@moon-serv CTRL-EVENT-EAP-STARTED EAP authentication started CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21 CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully CTRL-EVENT-EAP-STARTED EAP authentication started CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21 CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully moonshot@moon-serv's password: ... and the radius daemon has crashed. I enclose the freeradius debug output below. I notice that it thinks the User-Name is "@local" . Dave --- Dave Lewney IT Services, University of Sussex, Brighton BN1 9QT ------------- root@moon-serv:/etc/init.d# /usr/sbin/freeradius -fxx -l stdout freeradius: FreeRADIUS Version 3.0.0, for host , built on Apr 18 2013 at 19:22:07 Copyright (C) 1999-2013 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/mods-enabled/ including configuration file /etc/freeradius/mods-enabled/files including configuration file /etc/freeradius/mods-enabled/detail.log including configuration file /etc/freeradius/mods-enabled/psk including configuration file /etc/freeradius/mods-enabled/attr_filter including configuration file /etc/freeradius/mods-enabled/logintime including configuration file /etc/freeradius/mods-enabled/expr including configuration file /etc/freeradius/mods-enabled/dhcp including configuration file /etc/freeradius/mods-enabled/unix including configuration file /etc/freeradius/mods-enabled/counter including configuration file /etc/freeradius/mods-enabled/soh including configuration file /etc/freeradius/mods-enabled/wimax including configuration file /etc/freeradius/mods-enabled/expiration including configuration file /etc/freeradius/mods-enabled/radutmp including configuration file /etc/freeradius/mods-enabled/cui including configuration file /etc/freeradius/mods-enabled/../sql/cui/mysql/queries.conf including configuration file /etc/freeradius/mods-enabled/eap including configuration file /etc/freeradius/mods-enabled/preprocess including configuration file /etc/freeradius/mods-enabled/passwd including configuration file /etc/freeradius/mods-enabled/exec including configuration file /etc/freeradius/mods-enabled/inner-eap including configuration file /etc/freeradius/mods-enabled/linelog including configuration file /etc/freeradius/mods-enabled/ntlm_auth including configuration file /etc/freeradius/mods-enabled/digest including configuration file /etc/freeradius/mods-enabled/replicate including configuration file /etc/freeradius/mods-enabled/sradutmp including configuration file /etc/freeradius/mods-enabled/pap including configuration file /etc/freeradius/mods-enabled/realm including configuration file /etc/freeradius/mods-enabled/dynamic_clients including configuration file /etc/freeradius/mods-enabled/attr_rewrite including configuration file /etc/freeradius/mods-enabled/detail including configuration file /etc/freeradius/mods-enabled/always including configuration file /etc/freeradius/mods-enabled/utf8 including configuration file /etc/freeradius/mods-enabled/chap including configuration file /etc/freeradius/mods-enabled/cache_eap including configuration file /etc/freeradius/mods-enabled/mschap including configuration file /etc/freeradius/mods-enabled/checkval including configuration file /etc/freeradius/mods-enabled/echo including files in directory /etc/freeradius/policy.d/ including configuration file /etc/freeradius/policy.d/filter including configuration file /etc/freeradius/policy.d/dhcp including configuration file /etc/freeradius/policy.d/control including configuration file /etc/freeradius/policy.d/cui including configuration file /etc/freeradius/policy.d/operator-name including configuration file /etc/freeradius/policy.d/eap including configuration file /etc/freeradius/policy.d/accounting including configuration file /etc/freeradius/policy.d/canonicalization including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/tls including configuration file /etc/freeradius/sites-enabled/inner-tunnel including configuration file /etc/freeradius/sites-enabled/default main { security { user = "freerad" group = "freerad" allow_core_dumps = no } } including dictionary file /etc/freeradius/dictionary main { name = "freeradius" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no colourise = yes } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 revive_interval = 120 status_check_timeout = 4 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } } home_server tls { ipaddr = 127.0.0.1 port = 2083 type = "auth" proto = "tcp" secret = "testing123" response_window = 30 max_outstanding = 65536 zombie_period = 40 status_check = "none" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 revive_interval = 300 status_check_timeout = 4 } tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes dh_file = "/etc/freeradius/certs/dh" random_file = "/etc/freeradius/certs/random" fragment_size = 1024 include_length = yes check_crl = no ecdh_curve = "prime256v1" } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } home_server_pool tls { type = fail-over home_server = tls } realm tls { auth_pool = tls } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" proto = "*" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/freeradius/mods-enabled/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/freeradius/mods-enabled/expr expr { safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" } Module: Linked to module rlm_dhcp Module: Instantiating module "dhcp" from file /etc/freeradius/mods-enabled/dhcp Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/freeradius/mods-enabled/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/freeradius/mods-enabled/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { # from file /etc/freeradius/radiusd.conf modules { } # modules } # server server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/freeradius/mods-enabled/pap pap { auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/freeradius/mods-enabled/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/freeradius/mods-enabled/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes passchange { } allow_retry = yes } Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/freeradius/mods-enabled/unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/freeradius/mods-enabled/eap eap { default_eap_type = "ttls" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { tls = "tls-common" } tls-config tls-common { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/freeradius/certs" pem_file_type = yes private_key_file = "/etc/freeradius/certs/server.pem" certificate_file = "/etc/freeradius/certs/server.pem" CA_file = "/etc/freeradius/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/freeradius/certs/dh" random_file = "/etc/freeradius/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/freeradius/certs/bootstrap" ecdh_curve = "prime256v1" cache { enable = yes lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = yes } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { tls = "tls-common" default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes require_client_cert = no } debug: Using cached TLS configuration from previous invocation Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no require_client_cert = no } debug: Using cached TLS configuration from previous invocation Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/freeradius/mods-enabled/realm Warning: dh_check failed with 8: the g value is not a generator realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no default_community = "apc.moonshot.ja.net" rp_realm = "local" trust_router = "localhost" } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/freeradius/mods-enabled/files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } reading pairlist file /etc/freeradius/users reading pairlist file /etc/freeradius/acct_users reading pairlist file /etc/freeradius/preproxy_users Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/freeradius/mods-enabled/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/mods-enabled/attr_filter attr_filter attr_filter.access_reject { file = "/etc/freeradius/filter/access_reject" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/freeradius/filter/access_reject } # modules } # server server default { # from file /etc/freeradius/sites-enabled/default modules { Module: Creating Auth-Type = digest Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /etc/freeradius/mods-enabled/digest Module: Checking authorize {...} for more modules to load Module: Loading virtual module filter_username Module: Linked to module rlm_always Module: Instantiating module "reject" from file /etc/freeradius/mods-enabled/always always reject { rcode = "reject" simulcount = 0 mpp = no } Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/freeradius/mods-enabled/preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } reading pairlist file /etc/freeradius/huntgroups reading pairlist file /etc/freeradius/hints Module: Checking preacct {...} for more modules to load Module: Loading virtual module acct_unique Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /etc/freeradius/mods-enabled/detail detail { detailfile = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/mods-enabled/attr_filter attr_filter attr_filter.accounting_response { file = "/etc/freeradius/filter/accounting_response" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/freeradius/filter/accounting_response Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Loading virtual module remove_reply_message_if_eap Module: Instantiating module "noop" from file /etc/freeradius/mods-enabled/always always noop { rcode = "noop" simulcount = 0 mpp = no } Module: Loading virtual module remove_reply_message_if_eap } # modules } # server thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 cleanup_delay = 5 max_queue_size = 65536 auto_limit_acct = no } Thread spawned new child 1. Total threads in pool: 1 Thread spawned new child 2. Total threads in pool: 2 Thread spawned new child 3. Total threads in pool: 3 Thread spawned new child 4. Total threads in pool: 4 Thread spawned new child 5. Total threads in pool: 5 Thread pool initialized radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 2083 max_pps = 0 proto = "tcp" tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/freeradius/certs" pem_file_type = yes private_key_file = "/etc/freeradius/certs/server.pem" certificate_file = "/etc/freeradius/certs/server.pem" CA_file = "/etc/freeradius/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/freeradius/certs/dh" random_file = "/etc/freeradius/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "PSK:ALL:!aNULL:!eNULL" require_client_cert = yes ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { } } Thread 5 waiting to be assigned a request Thread 4 waiting to be assigned a request Thread 1 waiting to be assigned a request Thread 3 waiting to be assigned a request Thread 2 waiting to be assigned a request clients = "radsec" client 127.0.0.1 { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" virtual_server = "default" proto = "tcp" } client default { ipaddr = 0.0.0.0 netmask = 0 require_message_authenticator = no secret = "testing123" virtual_server = "default" proto = "tcp" } } listen { type = "auth" ipaddr = 127.0.0.1 port = 4000 max_pps = 0 client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" proto = "*" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 max_pps = 0 client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" proto = "*" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } } listen { type = "auth" ipaddr = * port = 0 max_pps = 0 client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" proto = "*" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } } listen { type = "acct" ipaddr = * port = 0 max_pps = 0 client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" proto = "*" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } } Listening on authentication proto tcp address * port 2083 (TLS) Listening on authentication address 127.0.0.1 port 4000 Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on authentication address * port 1812 as server default Listening on accounting address * port 1813 as server default Opening new proxy address * port 2085 Listening on proxy address * port 2085 Ready to process requests. ... new connection request on TCP socket. Listening on authentication from client (127.0.0.1, 58839) -> (*, 2083) Waking up in 0.6 seconds. (0) Requiring client certificate (0) Initiate (0) (other): before/accept initialization (0) TLS_accept: before/accept initialization (0) <<< TLS 1.0 Handshake [length 00dd], ClientHello (0) TLS_accept: SSLv3 read client hello A (0) >>> TLS 1.0 Handshake [length 003e], ServerHello (0) TLS_accept: SSLv3 write server hello A (0) >>> TLS 1.0 Handshake [length 085e], Certificate (0) TLS_accept: SSLv3 write certificate A (0) >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange (0) TLS_accept: SSLv3 write key exchange A (0) >>> TLS 1.0 Handshake [length 00a6], CertificateRequest (0) TLS_accept: SSLv3 write certificate request A (0) TLS_accept: SSLv3 flush data (0) TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode Waking up in 0.6 seconds. (0) <<< TLS 1.0 Handshake [length 0853], Certificate (0) chain-depth=1, (0) error=0 (0) --> BUF-Name = Example Certificate Authority (0) --> subject = /C=FR/ST=Radius/L=Somewhere/O=Example [log in to unmask] Certificate Authority (0) --> issuer = /C=FR/ST=Radius/L=Somewhere/O=Example [log in to unmask] Certificate Authority (0) --> verify return:1 (0) chain-depth=0, (0) error=0 (0) --> BUF-Name = [log in to unmask] (0) --> subject = /C=FR/ST=Radius/O=Example [log in to unmask]@example.com (0) --> issuer = /C=FR/ST=Radius/L=Somewhere/O=Example [log in to unmask] Certificate Authority (0) --> verify return:1 (0) TLS_accept: SSLv3 read client certificate A (0) <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange (0) TLS_accept: SSLv3 read client key exchange A (0) <<< TLS 1.0 Handshake [length 0106], CertificateVerify (0) TLS_accept: SSLv3 read certificate verify A (0) <<< TLS 1.0 ChangeCipherSpec [length 0001] (0) <<< TLS 1.0 Handshake [length 0010], Finished (0) TLS_accept: SSLv3 read finished A (0) >>> TLS 1.0 ChangeCipherSpec [length 0001] (0) TLS_accept: SSLv3 write change cipher spec A (0) >>> TLS 1.0 Handshake [length 0010], Finished (0) TLS_accept: SSLv3 write finished A (0) TLS_accept: SSLv3 flush data (0) (other): SSL negotiation finished successfully SSL Connection Established Waking up in 0.5 seconds. (0) Application data status 7 (0) tls_recv: Access-Request packet from host 127.0.0.1 port 58839, id=0, length=76 Threads: total/active/spare threads = 5/0/5 Thread 5 got semaphore Thread 5 handling request 0, (1 handled so far) User-Name = "@local" X-Ascend-FR-DCE-N393 = 1752134516 Attr-165 = 0x6d6f6f6e2d73657276 EAP-Message = 0x0200000b01406c6f63616c Message-Authenticator = 0xdc1528b900eabf84a5505ca42db38962 (0) <thread> : # Executing section authorize from file /etc/freeradius/sites-enabled/default (0) <thread> : group authorize { (0) <thread> : - entering group authorize {...} (0) <thread> : policy filter_username { (0) <thread> : - entering policy filter_username {...} (0) <thread> : ? if (User-Name != "%{tolower:%{User-Name}}") (0) <thread> : expand: '%{User-Name}' -> '@local' (0) <thread> : expand: '%{tolower:%{User-Name}}' -> '@local' (0) <thread> : ? Evaluating (User-Name != "%{tolower:%{User-Name}}") -> FALSE (0) <thread> : ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (0) <thread> : ? if (User-Name =~ / /) (0) <thread> : ? Evaluating (User-Name =~ / /) -> FALSE (0) <thread> : ? if (User-Name =~ / /) -> FALSE (0) <thread> : ? if (User-Name =~ [log in to unmask]*@/ ) (0) <thread> : ? Evaluating (User-Name =~ [log in to unmask]*@/) -> FALSE (0) <thread> : ? if (User-Name =~ [log in to unmask]*@/ ) -> FALSE (0) <thread> : ? if (User-Name =~ /\\.\\./ ) (0) <thread> : ? Evaluating (User-Name =~ /\\.\\./) -> FALSE (0) <thread> : ? if (User-Name =~ /\\.\\./ ) -> FALSE (0) <thread> : ? if (User-Name =~ /\\.$/) (0) <thread> : ? Evaluating (User-Name =~ /\\.$/) -> FALSE (0) <thread> : ? if (User-Name =~ /\\.$/) -> FALSE (0) <thread> : ? if (User-Name =~ /@\\./) (0) <thread> : ? Evaluating (User-Name =~ /@\\./) -> FALSE (0) <thread> : ? if (User-Name =~ /@\\./) -> FALSE (0) <thread> : - policy filter_username returns notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix : Looking up realm "local" for User-Name = "@local" (0) suffix : Found realm "LOCAL" (0) suffix : Adding Stripped-User-Name = "" (0) suffix : Adding Realm = "LOCAL" (0) suffix : Authentication realm is LOCAL. (0) [suffix] = ok (0) eap : EAP packet type response id 0 length 11 (0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) Found Auth-Type = EAP (0) # Executing group from file /etc/freeradius/sites-enabled/default (0) group authenticate { (0) - entering group authenticate {...} (0) eap : EAP Identity (0) eap : processing type ttls (0) ttls : Flushing SSL sessions (of #0) (0) ttls : Initiate (0) ttls : Start returned 1 (0) eap : New EAP session, adding 'State' attribute to reply 0x712f0bd4712e1e61 (0) [eap] = handled Sending Access-Challenge of id 0 from 0.0.0.0 port 2083 to 127.0.0.1 port 58839 EAP-Message = 0x010100061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x712f0bd4712e1e6167f66eff129f2ec3 (0) Finished request 0. Thread 5 waiting to be assigned a request Waking up in 0.3 seconds. (0) Application data status 7 (0) tls_recv: Access-Request packet from host 127.0.0.1 port 58839, id=0, length=145 (0) Cleaning up request packet ID 0 with timestamp +6 Thread 4 got semaphore Thread 4 handling request 1, (1 handled so far) User-Name = "@local" X-Ascend-FR-DCE-N393 = 1752134516 Attr-165 = 0x6d6f6f6e2d73657276 EAP-Message = 0x0201003e150016030100330100002f030151ac7abc8b36266ab11aedfd890b67fc81e9c0677271952682b8fcee96eff209000008002f000a000500040100 State = 0x712f0bd4712e1e6167f66eff129f2ec3 Message-Authenticator = 0xd5e3b4c19b81085113c86553b4a8538a (1) <thread> : # Executing section authorize from file /etc/freeradius/sites-enabled/default (1) <thread> : group authorize { (1) <thread> : - entering group authorize {...} (1) <thread> : policy filter_username { (1) <thread> : - entering policy filter_username {...} (1) <thread> : ? if (User-Name != "%{tolower:%{User-Name}}") (1) <thread> : expand: '%{User-Name}' -> '@local' (1) <thread> : expand: '%{tolower:%{User-Name}}' -> '@local' (1) <thread> : ? Evaluating (User-Name != "%{tolower:%{User-Name}}") -> FALSE (1) <thread> : ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (1) <thread> : ? if (User-Name =~ / /) (1) <thread> : ? Evaluating (User-Name =~ / /) -> FALSE (1) <thread> : ? if (User-Name =~ / /) -> FALSE (1) <thread> : ? if (User-Name =~ [log in to unmask]*@/ ) (1) <thread> : ? Evaluating (User-Name =~ [log in to unmask]*@/) -> FALSE (1) <thread> : ? if (User-Name =~ [log in to unmask]*@/ ) -> FALSE (1) <thread> : ? if (User-Name =~ /\\.\\./ ) (1) <thread> : ? Evaluating (User-Name =~ /\\.\\./) -> FALSE (1) <thread> : ? if (User-Name =~ /\\.\\./ ) -> FALSE (1) <thread> : ? if (User-Name =~ /\\.$/) (1) <thread> : ? Evaluating (User-Name =~ /\\.$/) -> FALSE (1) <thread> : ? if (User-Name =~ /\\.$/) -> FALSE (1) <thread> : ? if (User-Name =~ /@\\./) (1) <thread> : ? Evaluating (User-Name =~ /@\\./) -> FALSE (1) <thread> : ? if (User-Name =~ /@\\./) -> FALSE (1) <thread> : - policy filter_username returns notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix : Looking up realm "local" for User-Name = "@local" (1) suffix : Found realm "LOCAL" (1) suffix : Adding Stripped-User-Name = "" (1) suffix : Adding Realm = "LOCAL" (1) suffix : Authentication realm is LOCAL. (1) [suffix] = ok (1) eap : EAP packet type response id 1 length 62 (1) eap : Continuing tunnel setup. (1) [eap] = ok (1) Found Auth-Type = EAP (1) # Executing group from file /etc/freeradius/sites-enabled/default (1) group authenticate { (1) - entering group authenticate {...} (1) eap : Expiring EAP session with state 0x712f0bd4712e1e61 (1) eap : Finished EAP session with state 0x712f0bd4712e1e61 (1) eap : Previous EAP request found for state 0x712f0bd4712e1e61, released from the list (1) eap : EAP/ttls (1) eap : processing type ttls (1) ttls : Authenticate (1) ttls : processing EAP-TLS (1) ttls : eaptls_verify returned 7 (1) ttls : Done initial handshake (1) ttls : (other): before/accept initialization (1) ttls : TLS_accept: before/accept initialization (1) ttls : <<< TLS 1.0 Handshake [length 0033], ClientHello (1) ttls : TLS_accept: SSLv3 read client hello A (1) ttls : >>> TLS 1.0 Handshake [length 004a], ServerHello (1) ttls : TLS_accept: SSLv3 write server hello A (1) ttls : >>> TLS 1.0 Handshake [length 085e], Certificate (1) ttls : TLS_accept: SSLv3 write certificate A (1) ttls : >>> TLS 1.0 Handshake [length 0004], ServerHelloDone (1) ttls : TLS_accept: SSLv3 write server done A (1) ttls : TLS_accept: SSLv3 flush data (1) ttls : TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode (1) ttls : eaptls_process returned 13 (1) eap : New EAP session, adding 'State' attribute to reply 0x712f0bd4702d1e61 (1) [eap] = handled Sending Access-Challenge of id 0 from 0.0.0.0 port 2083 to 127.0.0.1 port 58839 EAP-Message = 0x010203ec15c0000008bb160301004a02000046030151ac7abcccdc627431a459374e94be4b477b21b479483886113650c6dc464499200116a21c94250be83ee0f0ecdf3e5335ea73c6de4dc83c70cb5ebef766e33466002f00160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406035504 EAP-Message = 0x03131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3133303533303134313130375a170d3134303533303134313130375a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100a993f208d657dbf11bb1346873657c260f9a741393b5cff3e23ae663c38f EAP-Message = 0xd82acb9faa77c012e7b92c30ba94d96c791c99e6636585b54f61324903da1cb93d72f6bfee05d41c708084bd0a94221367ac9415c29d1a83c28b2ca91d3b4dadc7eeb131936f695499aeac4ca2a723f3beed7b3f8be68e9d07b047ba546ce9cbe139ee1dc674950fb38ae5648ab151f1fee161e51d9bb9c516b9c1a2957f1dd7817d074f1bbb1cff90442ffde9be39ec71e6cfba0a4b435f0833b55cd18d8ce1f63f6978e1ac79e627f10b7f302f38769f52d59292d82deb69a4225788b6690f584d0034f27a285393bff81ed4f0fe9637c88f42a72a3b0a8d2d1b982e2e4d39b3a10203010001a317301530130603551d25040c300a06082b06010505 EAP-Message = 0x070301300d06092a864886f70d01010505000382010100b4809b4d8459576abeabea0ddf87501401c152f5ef8f0b045ab337b5f235ae06a40a700b9a4ce0f7a4a6b6558721a08befc1462fffd9667c9da796412252b19d0560923a1aaec15020fd3835392dca2c843bb194bf52dca206054209d20f9232a7990bf6bb8f1c05196d472b0775b5b11c49022b0a360768c07b4367d0970a308b14adb42512cfed2352fd936a389efb998a30214baa8b582bde1e08c352a4890811f40b1857ea16c0e98e19c2f07f8b21dcb5f4b77145cb904d2460fa70be1bfc08903e5af2078a0d34457d581bd6116886b7059b136972eeaaff0f607a Message-Authenticator = 0x00000000000000000000000000000000 State = 0x712f0bd4702d1e6167f66eff129f2ec3 (1) Finished request 1. Thread 4 waiting to be assigned a request Waking up in 0.3 seconds. (0) Application data status 7 (0) tls_recv: Access-Request packet from host 127.0.0.1 port 58839, id=0, length=89 (1) Cleaning up request packet ID 0 with timestamp +6 Thread 3 got semaphore Thread 3 handling request 2, (1 handled so far) User-Name = "@local" X-Ascend-FR-DCE-N393 = 1752134516 Attr-165 = 0x6d6f6f6e2d73657276 EAP-Message = 0x020200061500 State = 0x712f0bd4702d1e6167f66eff129f2ec3 Message-Authenticator = 0x17d5fd0e52b365059058dba254a2fc58 (2) <thread> : # Executing section authorize from file /etc/freeradius/sites-enabled/default (2) <thread> : group authorize { (2) <thread> : - entering group authorize {...} (2) <thread> : policy filter_username { (2) <thread> : - entering policy filter_username {...} (2) <thread> : ? if (User-Name != "%{tolower:%{User-Name}}") (2) <thread> : expand: '%{User-Name}' -> '@local' (2) <thread> : expand: '%{tolower:%{User-Name}}' -> '@local' (2) <thread> : ? Evaluating (User-Name != "%{tolower:%{User-Name}}") -> FALSE (2) <thread> : ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (2) <thread> : ? if (User-Name =~ / /) (2) <thread> : ? Evaluating (User-Name =~ / /) -> FALSE (2) <thread> : ? if (User-Name =~ / /) -> FALSE (2) <thread> : ? if (User-Name =~ [log in to unmask]*@/ ) (2) <thread> : ? Evaluating (User-Name =~ [log in to unmask]*@/) -> FALSE (2) <thread> : ? if (User-Name =~ [log in to unmask]*@/ ) -> FALSE (2) <thread> : ? if (User-Name =~ /\\.\\./ ) (2) <thread> : ? Evaluating (User-Name =~ /\\.\\./) -> FALSE (2) <thread> : ? if (User-Name =~ /\\.\\./ ) -> FALSE (2) <thread> : ? if (User-Name =~ /\\.$/) (2) <thread> : ? Evaluating (User-Name =~ /\\.$/) -> FALSE (2) <thread> : ? if (User-Name =~ /\\.$/) -> FALSE (2) <thread> : ? if (User-Name =~ /@\\./) (2) <thread> : ? Evaluating (User-Name =~ /@\\./) -> FALSE (2) <thread> : ? if (User-Name =~ /@\\./) -> FALSE (2) <thread> : - policy filter_username returns notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix : Looking up realm "local" for User-Name = "@local" (2) suffix : Found realm "LOCAL" (2) suffix : Adding Stripped-User-Name = "" (2) suffix : Adding Realm = "LOCAL" (2) suffix : Authentication realm is LOCAL. (2) [suffix] = ok (2) eap : EAP packet type response id 2 length 6 (2) eap : Continuing tunnel setup. (2) [eap] = ok (2) Found Auth-Type = EAP (2) # Executing group from file /etc/freeradius/sites-enabled/default (2) group authenticate { (2) - entering group authenticate {...} (2) eap : Expiring EAP session with state 0x712f0bd4702d1e61 (2) eap : Finished EAP session with state 0x712f0bd4702d1e61 (2) eap : Previous EAP request found for state 0x712f0bd4702d1e61, released from the list (2) eap : EAP/ttls (2) eap : processing type ttls (2) ttls : Authenticate (2) ttls : processing EAP-TLS (2) ttls : Received TLS ACK (2) ttls : Received TLS ACK (2) ttls : ACK handshake fragment handler (2) ttls : eaptls_verify returned 1 (2) ttls : eaptls_process returned 13 (2) eap : New EAP session, adding 'State' attribute to reply 0x712f0bd4732c1e61 (2) [eap] = handled Sending Access-Challenge of id 0 from 0.0.0.0 port 2083 to 127.0.0.1 port 58839 EAP-Message = 0x010303ec15c0000008bb93fcaded1ec36a99b78bdef5337a5a1e295f1f8cbf91e73ff8781af8475966e1dac90004ab308204a73082038fa003020102020900e3bdffa7131f5e6a300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3133303533303134313130375a EAP-Message = 0x170d3134303533303134313130375a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100d5ea9c8daf3e209f46be890bd2e10399996255c5bc4c03a0311d9bf5c5ced1b53d45fb83317e691ea0c6f16b1bc26da8e088f3f08ada7c EAP-Message = 0xcef1132f8927c0d21ab68a1f4d2bcce9bccf9d83f3040074ff0e95df381d185e55ec372430385d413e0a76ccf97348995e194dc66b4bfa7f6519a9d3f35b12c597ebd23e740af83506a253fad09db7bd2ea3b83d3e2de6473daec11a0ca6ca220c08b5e2e9fde0f74c4a3c9afc84559708c8ffb66e6ed870798169865fb69fc2f5a7b82b178a5d6de806aed15bce4da4cd907287b85d38bb1ac8b7fe118029a5ca89f6c18ec2b8812e50a94e7632d5f552fd80674ee243ebd369c69b665b06089c438d3cfc2b9d022d0203010001a381fb3081f8301d0603551d0e041604144bc9ef9fa77920584ee92214be643e1a5974e2233081c80603551d230481 EAP-Message = 0xc03081bd80144bc9ef9fa77920584ee92214be643e1a5974e223a18199a48196308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900e3bdffa7131f5e6a300c0603551d13040530030101ff300d06092a864886f70d0101050500038201010003f0b6fb1cc5dc0fb49e4f088643ec34c2bb Message-Authenticator = 0x00000000000000000000000000000000 State = 0x712f0bd4732c1e6167f66eff129f2ec3 (2) Finished request 2. Thread 3 waiting to be assigned a request Waking up in 0.3 seconds. (0) Application data status 7 (0) tls_recv: Access-Request packet from host 127.0.0.1 port 58839, id=0, length=89 (2) Cleaning up request packet ID 0 with timestamp +6 Thread 2 got semaphore Thread 2 handling request 3, (1 handled so far) User-Name = "@local" X-Ascend-FR-DCE-N393 = 1752134516 Attr-165 = 0x6d6f6f6e2d73657276 EAP-Message = 0x020300061500 State = 0x712f0bd4732c1e6167f66eff129f2ec3 Message-Authenticator = 0x0c2b6721f97ea1573af77fae84785634 (3) <thread> : # Executing section authorize from file /etc/freeradius/sites-enabled/default (3) <thread> : group authorize { (3) <thread> : - entering group authorize {...} (3) <thread> : policy filter_username { (3) <thread> : - entering policy filter_username {...} (3) <thread> : ? if (User-Name != "%{tolower:%{User-Name}}") (3) <thread> : expand: '%{User-Name}' -> '@local' (3) <thread> : expand: '%{tolower:%{User-Name}}' -> '@local' (3) <thread> : ? Evaluating (User-Name != "%{tolower:%{User-Name}}") -> FALSE (3) <thread> : ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (3) <thread> : ? if (User-Name =~ / /) (3) <thread> : ? Evaluating (User-Name =~ / /) -> FALSE (3) <thread> : ? if (User-Name =~ / /) -> FALSE (3) <thread> : ? if (User-Name =~ [log in to unmask]*@/ ) (3) <thread> : ? Evaluating (User-Name =~ [log in to unmask]*@/) -> FALSE (3) <thread> : ? if (User-Name =~ [log in to unmask]*@/ ) -> FALSE (3) <thread> : ? if (User-Name =~ /\\.\\./ ) (3) <thread> : ? Evaluating (User-Name =~ /\\.\\./) -> FALSE (3) <thread> : ? if (User-Name =~ /\\.\\./ ) -> FALSE (3) <thread> : ? if (User-Name =~ /\\.$/) (3) <thread> : ? Evaluating (User-Name =~ /\\.$/) -> FALSE (3) <thread> : ? if (User-Name =~ /\\.$/) -> FALSE (3) <thread> : ? if (User-Name =~ /@\\./) (3) <thread> : ? Evaluating (User-Name =~ /@\\./) -> FALSE (3) <thread> : ? if (User-Name =~ /@\\./) -> FALSE (3) <thread> : - policy filter_username returns notfound (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix : Looking up realm "local" for User-Name = "@local" (3) suffix : Found realm "LOCAL" (3) suffix : Adding Stripped-User-Name = "" (3) suffix : Adding Realm = "LOCAL" (3) suffix : Authentication realm is LOCAL. (3) [suffix] = ok (3) eap : EAP packet type response id 3 length 6 (3) eap : Continuing tunnel setup. (3) [eap] = ok (3) Found Auth-Type = EAP (3) # Executing group from file /etc/freeradius/sites-enabled/default (3) group authenticate { (3) - entering group authenticate {...} (3) eap : Expiring EAP session with state 0x712f0bd4732c1e61 (3) eap : Finished EAP session with state 0x712f0bd4732c1e61 (3) eap : Previous EAP request found for state 0x712f0bd4732c1e61, released from the list (3) eap : EAP/ttls (3) eap : processing type ttls (3) ttls : Authenticate (3) ttls : processing EAP-TLS (3) ttls : Received TLS ACK (3) ttls : Received TLS ACK (3) ttls : ACK handshake fragment handler (3) ttls : eaptls_verify returned 1 (3) ttls : eaptls_process returned 13 (3) eap : New EAP session, adding 'State' attribute to reply 0x712f0bd4722b1e61 (3) [eap] = handled Sending Access-Challenge of id 0 from 0.0.0.0 port 2083 to 127.0.0.1 port 58839 EAP-Message = 0x010401011580000008bb77cf2b6179633dfc14a708be43ee8e99ff69c82b00b9e976ba03769b750e1de50746da8c71dafeb0b6b3450bd2c716ad9083675251e0ebb18f1ad449400d88afd9339eb45578b8f3bed896192f81722e5859167baba7a3134b68a12f290215b293f3ef848663deb24f0358cb14282974d6bebbcba0c65cc4512de17e744ce9f72a0bb3ed8bd7fab96014e186e3f7bd4e5c891d6ce02fa2e4fdeda74f7cded4aafdd4947b4b41f724630b8b0c994e1ef947957ea66263b39a9e0ceab8ea6c58d39c7dcbd5d5f7fda8eceb565782ca6dd681d5a16f2651d743eacdb67db034d563a1104296a3d73a408cc7b2658bc61603010004 EAP-Message = 0x0e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x712f0bd4722b1e6167f66eff129f2ec3 (3) Finished request 3. Thread 2 waiting to be assigned a request Waking up in 0.3 seconds. (0) Application data status 7 (0) tls_recv: Access-Request packet from host 127.0.0.1 port 58839, id=0, length=417 (3) Cleaning up request packet ID 0 with timestamp +6 Waking up in 0.3 seconds. Thread 1 got semaphore Thread 1 handling request 4, (1 handled so far) User-Name = "@local" X-Ascend-FR-DCE-N393 = 1752134516 Attr-165 = 0x6d6f6f6e2d73657276 EAP-Message = 0x0204014c150016030101061000010201000077af29cce0a9d2a84d9eda48eee3edb20e8e4c0703e507ba4a4919f6f8901e64ee457c90f3d010721eb0d568e81554a73722732e594f5755cc417d4fd97f7fab6084372e4ceb848dd71759506ecb45441812e3c01122e90bbac7d4210e1cefe4d332a91d9494023ecace79828c2f87bc2af9ec0ff8eb753226215b9c154fe0e604524d2f3b702746c010cf9933426ff73bb652f5c504812c5575bd7493c2d606b4dcd495cc2a0f7dd7dafbd861bc7ec0fe24f7f928ec3d925bd053d979f4289ad4f3ad8c6b0d125cea29e3c37bfab020954f3662659ccefda88fae4d5fb20bf0f0f9df91d3415c70a4856e EAP-Message = 0x3a694f2e6062275cf8e46c26902269ef5e8edec31403010001011603010030d97c305b676cbaa292e0f708cb36f37f487b5da2a22efdcc4815eeb367dfc47c0da09082d122484a1e9fe2cb6dd00647 State = 0x712f0bd4722b1e6167f66eff129f2ec3 Message-Authenticator = 0xb4318cc18097a0c3b6ca334bb2888779 (4) <thread> : # Executing section authorize from file /etc/freeradius/sites-enabled/default (4) <thread> : group authorize { (4) <thread> : - entering group authorize {...} (4) <thread> : policy filter_username { (4) <thread> : - entering policy filter_username {...} (4) <thread> : ? if (User-Name != "%{tolower:%{User-Name}}") (4) <thread> : expand: '%{User-Name}' -> '@local' (4) <thread> : expand: '%{tolower:%{User-Name}}' -> '@local' (4) <thread> : ? Evaluating (User-Name != "%{tolower:%{User-Name}}") -> FALSE (4) <thread> : ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (4) <thread> : ? if (User-Name =~ / /) (4) <thread> : ? Evaluating (User-Name =~ / /) -> FALSE (4) <thread> : ? if (User-Name =~ / /) -> FALSE (4) <thread> : ? if (User-Name =~ [log in to unmask]*@/ ) (4) <thread> : ? Evaluating (User-Name =~ [log in to unmask]*@/) -> FALSE (4) <thread> : ? if (User-Name =~ [log in to unmask]*@/ ) -> FALSE (4) <thread> : ? if (User-Name =~ /\\.\\./ ) (4) <thread> : ? Evaluating (User-Name =~ /\\.\\./) -> FALSE (4) <thread> : ? if (User-Name =~ /\\.\\./ ) -> FALSE (4) <thread> : ? if (User-Name =~ /\\.$/) (4) <thread> : ? Evaluating (User-Name =~ /\\.$/) -> FALSE (4) <thread> : ? if (User-Name =~ /\\.$/) -> FALSE (4) <thread> : ? if (User-Name =~ /@\\./) (4) <thread> : ? Evaluating (User-Name =~ /@\\./) -> FALSE (4) <thread> : ? if (User-Name =~ /@\\./) -> FALSE (4) <thread> : - policy filter_username returns notfound (4) [preprocess] = ok (4) [chap] = noop (4) [mschap] = noop (4) [digest] = noop (4) suffix : Looking up realm "local" for User-Name = "@local" (4) suffix : Found realm "LOCAL" (4) suffix : Adding Stripped-User-Name = "" (4) suffix : Adding Realm = "LOCAL" (4) suffix : Authentication realm is LOCAL. (4) [suffix] = ok (4) eap : EAP packet type response id 4 length 253 (4) eap : Continuing tunnel setup. (4) [eap] = ok (4) Found Auth-Type = EAP (4) # Executing group from file /etc/freeradius/sites-enabled/default (4) group authenticate { (4) - entering group authenticate {...} (4) eap : Expiring EAP session with state 0x712f0bd4722b1e61 (4) eap : Finished EAP session with state 0x712f0bd4722b1e61 (4) eap : Previous EAP request found for state 0x712f0bd4722b1e61, released from the list (4) eap : EAP/ttls (4) eap : processing type ttls (4) ttls : Authenticate (4) ttls : processing EAP-TLS (4) ttls : eaptls_verify returned 7 (4) ttls : Done initial handshake (4) ttls : <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange (4) ttls : TLS_accept: SSLv3 read client key exchange A (4) ttls : <<< TLS 1.0 ChangeCipherSpec [length 0001] (4) ttls : <<< TLS 1.0 Handshake [length 0010], Finished (4) ttls : TLS_accept: SSLv3 read finished A (4) ttls : >>> TLS 1.0 ChangeCipherSpec [length 0001] (4) ttls : TLS_accept: SSLv3 write change cipher spec A (4) ttls : >>> TLS 1.0 Handshake [length 0010], Finished (4) ttls : TLS_accept: SSLv3 write finished A (4) ttls : TLS_accept: SSLv3 flush data SSL: adding session 0116a21c94250be83ee0f0ecdf3e5335ea73c6de4dc83c70cb5ebef766e33466 to cache (4) ttls : (other): SSL negotiation finished successfully SSL Connection Established (4) ttls : eaptls_process returned 13 (4) eap : New EAP session, adding 'State' attribute to reply 0x712f0bd4752a1e61 (4) [eap] = handled Sending Access-Challenge of id 0 from 0.0.0.0 port 2083 to 127.0.0.1 port 58839 EAP-Message = 0x0105004515800000003b14030100010116030100309a8d459e4db1889c804a39398967936f10e8b00c533b668ec3da6a5e7d8f87deaa48222f4f4f3a5e3d9abcf41b85fd92 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x712f0bd4752a1e6167f66eff129f2ec3 (0) Application data status 7 (0) tls_recv: Access-Request packet from host 127.0.0.1 port 58839, id=0, length=142 (4) Waiting for child thread to stop Waking up in 0.3 seconds. Thread 5 got semaphore Thread 5 handling request 5, (2 handled so far) User-Name = "@local" X-Ascend-FR-DCE-N393 = 1752134516 Attr-165 = 0x6d6f6f6e2d73657276 EAP-Message = 0x0205003b15001703010030c1003265c990d02afea3fd41923e47dd4236be00e616d2255546a57127df2873ca1cb7b488f469fb20a17ee8e91e65a5 State = 0x712f0bd4752a1e6167f66eff129f2ec3 Message-Authenticator = 0x192228e56da1620718788bf10c90b051 (5) <thread> : # Executing section authorize from file /etc/freeradius/sites-enabled/default (5) <thread> : group authorize { (5) <thread> : - entering group authorize {...} (5) <thread> : policy filter_username { (5) <thread> : - entering policy filter_username {...} (5) <thread> : ? if (User-Name != "%{tolower:%{User-Name}}") (5) <thread> : expand: '%{User-Name}' -> '@local' (5) <thread> : expand: '%{tolower:%{User-Name}}' -> '@local' (5) <thread> : ? Evaluating (User-Name != "%{tolower:%{User-Name}}") -> FALSE (5) <thread> : ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (5) <thread> : ? if (User-Name =~ / /) (5) <thread> : ? Evaluating (User-Name =~ / /) -> FALSE (5) <thread> : ? if (User-Name =~ / /) -> FALSE (5) <thread> : ? if (User-Name =~ [log in to unmask]*@/ ) (5) <thread> : ? Evaluating (User-Name =~ [log in to unmask]*@/) -> FALSE (5) <thread> : ? if (User-Name =~ [log in to unmask]*@/ ) -> FALSE (5) <thread> : ? if (User-Name =~ /\\.\\./ ) (5) <thread> : ? Evaluating (User-Name =~ /\\.\\./) -> FALSE (5) <thread> : ? if (User-Name =~ /\\.\\./ ) -> FALSE (5) <thread> : ? if (User-Name =~ /\\.$/) (5) <thread> : ? Evaluating (User-Name =~ /\\.$/) -> FALSE (5) <thread> : ? if (User-Name =~ /\\.$/) -> FALSE (5) <thread> : ? if (User-Name =~ /@\\./) (5) <thread> : ? Evaluating (User-Name =~ /@\\./) -> FALSE (5) <thread> : ? if (User-Name =~ /@\\./) -> FALSE (5) <thread> : - policy filter_username returns notfound (5) [preprocess] = ok (5) [chap] = noop (5) [mschap] = noop (5) [digest] = noop (5) suffix : Looking up realm "local" for User-Name = "@local" (5) suffix : Found realm "LOCAL" (5) suffix : Adding Stripped-User-Name = "" (5) suffix : Adding Realm = "LOCAL" (5) suffix : Authentication realm is LOCAL. (5) [suffix] = ok (5) eap : EAP packet type response id 5 length 59 (5) eap : Continuing tunnel setup. (5) [eap] = ok (5) Found Auth-Type = EAP (5) # Executing group from file /etc/freeradius/sites-enabled/default (5) group authenticate { (5) - entering group authenticate {...} (5) eap : Expiring EAP session with state 0x712f0bd4752a1e61 (5) eap : Finished EAP session with state 0x712f0bd4752a1e61 (5) eap : Previous EAP request found for state 0x712f0bd4752a1e61, released from the list (5) eap : EAP/ttls (5) eap : processing type ttls (5) ttls : Authenticate (5) ttls : processing EAP-TLS (5) ttls : eaptls_verify returned 7 (5) ttls : Done initial handshake (5) ttls : eaptls_process returned 7 (5) ttls : Session established. Proceeding to decode tunneled attributes. (5) ttls : Got tunneled request EAP-Message = 0x02000010017374657665406c6f63616c FreeRADIUS-Proxied-To = 127.0.0.1 (5) ttls : Got tunneled identity of steve@local (5) ttls : Setting default EAP type for tunneled EAP session. (5) ttls : Sending tunneled request EAP-Message = 0x02000010017374657665406c6f63616c FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "steve@local" server inner-tunnel { (5) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel (5) group authorize { (5) - entering group authorize {...} (5) [chap] = noop (5) [mschap] = noop (5) suffix : Looking up realm "local" for User-Name = "steve@local" (5) suffix : Found realm "LOCAL" (5) suffix : Adding Stripped-User-Name = "steve" (5) suffix : Adding Realm = "LOCAL" (5) suffix : Authentication realm is LOCAL. (5) [suffix] = ok (5) update control { (5) } # update control = ok (5) eap : EAP packet type response id 0 length 16 (5) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (5) [eap] = ok (5) Found Auth-Type = EAP (5) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (5) group authenticate { (5) - entering group authenticate {...} (5) eap : EAP Identity (5) eap : processing type md5 rlm_eap_md5: Issuing Challenge (5) eap : New EAP session, adding 'State' attribute to reply 0xee5d6e98ee5c6af2 (5) [eap] = handled } # server inner-tunnel (5) ttls : Got tunneled reply code 11 EAP-Message = 0x010100160410d7f85df0bea15eedcd903985f669ebe6 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xee5d6e98ee5c6af22253e9689b41e2ad (5) ttls : Got tunneled Access-Challenge (5) eap : New EAP session, adding 'State' attribute to reply 0x712f0bd474291e61 (5) [eap] = handled Sending Access-Challenge of id 0 from 0.0.0.0 port 2083 to 127.0.0.1 port 58839 EAP-Message = 0x0106004f15800000004517030100406080e856337f109505b240c7b64b3413f939006da205d5b44997ddc11431574ca036852e5cbac19feb936fe31ec01eb58ed168d404811ece0a7852cc98970878 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x712f0bd474291e6167f66eff129f2ec3 (0) Application data status 7 (0) tls_recv: Access-Request packet from host 127.0.0.1 port 58839, id=0, length=158 (5) Waiting for child thread to stop Waking up in 0.3 seconds. Thread 4 got semaphore Thread 4 handling request 6, (2 handled so far) User-Name = "@local" X-Ascend-FR-DCE-N393 = 1752134516 Attr-165 = 0x6d6f6f6e2d73657276 EAP-Message = 0x0206004b1500170301004091ae5e777f6630252a84c234d84a9cc6ccadf305a8a69f9557b6863b7a62b857301613ed3c46f9876184999c9fa6de9fde15c8b99201fb8edd39bb07c2ad2383 State = 0x712f0bd474291e6167f66eff129f2ec3 Message-Authenticator = 0x0d641e43933da89a653b04b2fe4530fa (6) <thread> : # Executing section authorize from file /etc/freeradius/sites-enabled/default (6) <thread> : group authorize { (6) <thread> : - entering group authorize {...} (6) <thread> : policy filter_username { (6) <thread> : - entering policy filter_username {...} (6) <thread> : ? if (User-Name != "%{tolower:%{User-Name}}") (6) <thread> : expand: '%{User-Name}' -> '@local' (6) <thread> : expand: '%{tolower:%{User-Name}}' -> '@local' (6) <thread> : ? Evaluating (User-Name != "%{tolower:%{User-Name}}") -> FALSE (6) <thread> : ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (6) <thread> : ? if (User-Name =~ / /) (6) <thread> : ? Evaluating (User-Name =~ / /) -> FALSE (6) <thread> : ? if (User-Name =~ / /) -> FALSE (6) <thread> : ? if (User-Name =~ [log in to unmask]*@/ ) (6) <thread> : ? Evaluating (User-Name =~ [log in to unmask]*@/) -> FALSE (6) <thread> : ? if (User-Name =~ [log in to unmask]*@/ ) -> FALSE (6) <thread> : ? if (User-Name =~ /\\.\\./ ) (6) <thread> : ? Evaluating (User-Name =~ /\\.\\./) -> FALSE (6) <thread> : ? if (User-Name =~ /\\.\\./ ) -> FALSE (6) <thread> : ? if (User-Name =~ /\\.$/) (6) <thread> : ? Evaluating (User-Name =~ /\\.$/) -> FALSE (6) <thread> : ? if (User-Name =~ /\\.$/) -> FALSE (6) <thread> : ? if (User-Name =~ /@\\./) (6) <thread> : ? Evaluating (User-Name =~ /@\\./) -> FALSE (6) <thread> : ? if (User-Name =~ /@\\./) -> FALSE (6) <thread> : - policy filter_username returns notfound (6) [preprocess] = ok (6) [chap] = noop (6) [mschap] = noop (6) [digest] = noop (6) suffix : Looking up realm "local" for User-Name = "@local" (6) suffix : Found realm "LOCAL" (6) suffix : Adding Stripped-User-Name = "" (6) suffix : Adding Realm = "LOCAL" (6) suffix : Authentication realm is LOCAL. (6) [suffix] = ok (6) eap : EAP packet type response id 6 length 75 (6) eap : Continuing tunnel setup. (6) [eap] = ok (6) Found Auth-Type = EAP (6) # Executing group from file /etc/freeradius/sites-enabled/default (6) group authenticate { (6) - entering group authenticate {...} (6) eap : Expiring EAP session with state 0xee5d6e98ee5c6af2 (6) eap : Finished EAP session with state 0x712f0bd474291e61 (6) eap : Previous EAP request found for state 0x712f0bd474291e61, released from the list (6) eap : EAP/ttls (6) eap : processing type ttls (6) ttls : Authenticate (6) ttls : processing EAP-TLS (6) ttls : eaptls_verify returned 7 (6) ttls : Done initial handshake (6) ttls : eaptls_process returned 7 (6) ttls : Session established. Proceeding to decode tunneled attributes. (6) ttls : Got tunneled request EAP-Message = 0x020100160410a988c9cd197354461741bea6ebca9cb8 FreeRADIUS-Proxied-To = 127.0.0.1 (6) ttls : Sending tunneled request EAP-Message = 0x020100160410a988c9cd197354461741bea6ebca9cb8 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "steve@local" State = 0xee5d6e98ee5c6af22253e9689b41e2ad server inner-tunnel { (6) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel (6) group authorize { (6) - entering group authorize {...} (6) [chap] = noop (6) [mschap] = noop (6) suffix : Looking up realm "local" for User-Name = "steve@local" (6) suffix : Found realm "LOCAL" (6) suffix : Adding Stripped-User-Name = "steve" (6) suffix : Adding Realm = "LOCAL" (6) suffix : Authentication realm is LOCAL. (6) [suffix] = ok (6) update control { (6) } # update control = ok (6) eap : EAP packet type response id 1 length 22 (6) eap : No EAP Start, assuming it's an on-going EAP conversation (6) [eap] = updated (6) files : users: Matched entry steve at line 76 (6) [files] = ok (6) [expiration] = noop (6) [logintime] = noop (6) WARNING: pap : Auth-Type already set. Not setting to PAP (6) [pap] = noop (6) Found Auth-Type = EAP (6) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (6) group authenticate { (6) - entering group authenticate {...} (6) eap : Expiring EAP session with state 0xee5d6e98ee5c6af2 (6) eap : Finished EAP session with state 0xee5d6e98ee5c6af2 (6) eap : Previous EAP request found for state 0xee5d6e98ee5c6af2, released from the list (6) eap : EAP/md5 (6) eap : processing type md5 (6) eap : Freeing handler (6) [eap] = ok (6) WARNING: Empty post-auth section. Using default return values. (6) # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel } # server inner-tunnel (6) ttls : Got tunneled reply code 2 EAP-Message = 0x03010004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "steve" (6) ttls : Got tunneled Access-Accept (6) ttls : Saving session 0116a21c94250be83ee0f0ecdf3e5335ea73c6de4dc83c70cb5ebef766e33466 vps 0x8f96e38 in the cache (6) eap : Freeing handler rlm_eap_ttls: Freeing handler for user steve@local (6) [eap] = ok (6) # Executing section post-auth from file /etc/freeradius/sites-enabled/default (6) group post-auth { (6) - entering group post-auth {...} (6) [exec] = noop (6) policy remove_reply_message_if_eap { (6) - entering policy remove_reply_message_if_eap {...} (6) ? if (reply:EAP-Message && reply:Reply-Message) (6) ? Evaluating (reply:EAP-Message ) -> TRUE (6) ? Evaluating (reply:Reply-Message) -> FALSE (6) ? if (reply:EAP-Message && reply:Reply-Message) -> FALSE (6) else else { (6) - entering else else {...} (6) [noop] = noop (6) - else else returns noop (6) - policy remove_reply_message_if_eap returns noop Sending Access-Accept of id 0 from 0.0.0.0 port 2083 to 127.0.0.1 port 58839 MS-MPPE-Recv-Key = 0x428b40281956f5ad89bbf4e515102874d350b7c1374e756e115e5f8e51ac9bf9 MS-MPPE-Send-Key = 0xba8de1bbc7c56706f20ad3fb08df661de0ec0ac8d55f3e0cea1b836607216251 Attr-26.6.122.4 = 0x1551ac7abc8b36266ab11aedfd890b67fc81e9c0677271952682b8fcee96eff20951ac7abcccdc627431a459374e94be4b477b21b479483886113650c6dc464499 EAP-Message = 0x03060004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "" WARNING: Skipping zero-length attribute User-Name (5) Finished request 5. Thread 5 waiting to be assigned a request (6) Finished request 6. Thread 4 waiting to be assigned a request (4) Finished request 4. Thread 1 waiting to be assigned a request Client has closed connection (6) Cleaning up request packet ID 0 with timestamp +6 ... closing socket authentication from client (127.0.0.1, 58839) -> (*, 2083) Waking up in 0.3 seconds. ... new connection request on TCP socket. Listening on authentication from client (127.0.0.1, 58840) -> (*, 2083) Waking up in 0.3 seconds. (0) Requiring client certificate (0) Initiate (0) (other): before/accept initialization (0) TLS_accept: before/accept initialization (0) <<< TLS 1.0 Handshake [length 00dd], ClientHello (0) TLS_accept: SSLv3 read client hello A (0) >>> TLS 1.0 Handshake [length 003e], ServerHello (0) TLS_accept: SSLv3 write server hello A (0) >>> TLS 1.0 Handshake [length 085e], Certificate (0) TLS_accept: SSLv3 write certificate A (0) >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange (0) TLS_accept: SSLv3 write key exchange A (0) >>> TLS 1.0 Handshake [length 00a6], CertificateRequest (0) TLS_accept: SSLv3 write certificate request A (0) TLS_accept: SSLv3 flush data (0) TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode Waking up in 0.3 seconds. (0) <<< TLS 1.0 Handshake [length 0853], Certificate (0) chain-depth=1, (0) error=0 (0) --> BUF-Name = Example Certificate Authority (0) --> subject = /C=FR/ST=Radius/L=Somewhere/O=Example [log in to unmask] Certificate Authority (0) --> issuer = /C=FR/ST=Radius/L=Somewhere/O=Example [log in to unmask] Certificate Authority (0) --> verify return:1 (0) chain-depth=0, (0) error=0 (0) --> BUF-Name = [log in to unmask] (0) --> subject = /C=FR/ST=Radius/O=Example [log in to unmask]@example.com (0) --> issuer = /C=FR/ST=Radius/L=Somewhere/O=Example [log in to unmask] Certificate Authority (0) --> verify return:1 (0) TLS_accept: SSLv3 read client certificate A (0) <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange (0) TLS_accept: SSLv3 read client key exchange A (0) <<< TLS 1.0 Handshake [length 0106], CertificateVerify (0) TLS_accept: SSLv3 read certificate verify A (0) <<< TLS 1.0 ChangeCipherSpec [length 0001] (0) <<< TLS 1.0 Handshake [length 0010], Finished (0) TLS_accept: SSLv3 read finished A (0) >>> TLS 1.0 ChangeCipherSpec [length 0001] (0) TLS_accept: SSLv3 write change cipher spec A (0) >>> TLS 1.0 Handshake [length 0010], Finished (0) TLS_accept: SSLv3 write finished A (0) TLS_accept: SSLv3 flush data (0) (other): SSL negotiation finished successfully SSL Connection Established Waking up in 0.3 seconds. (0) Application data status 7 (0) tls_recv: Access-Request packet from host 127.0.0.1 port 58840, id=0, length=76 Thread 3 got semaphore Thread 3 handling request 7, (2 handled so far) User-Name = "@local" X-Ascend-FR-DCE-N393 = 1752134516 Attr-165 = 0x6d6f6f6e2d73657276 EAP-Message = 0x0200000b01406c6f63616c Message-Authenticator = 0x5d826dd1d49be1e366f75ae2bf158a50 (7) <thread> : # Executing section authorize from file /etc/freeradius/sites-enabled/default (7) <thread> : group authorize { (7) <thread> : - entering group authorize {...} (7) <thread> : policy filter_username { (7) <thread> : - entering policy filter_username {...} (7) <thread> : ? if (User-Name != "%{tolower:%{User-Name}}") (7) <thread> : expand: '%{User-Name}' -> '@local' (7) <thread> : expand: '%{tolower:%{User-Name}}' -> '@local' (7) <thread> : ? Evaluating (User-Name != "%{tolower:%{User-Name}}") -> FALSE (7) <thread> : ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (7) <thread> : ? if (User-Name =~ / /) (7) <thread> : ? Evaluating (User-Name =~ / /) -> FALSE (7) <thread> : ? if (User-Name =~ / /) -> FALSE (7) <thread> : ? if (User-Name =~ [log in to unmask]*@/ ) (7) <thread> : ? Evaluating (User-Name =~ [log in to unmask]*@/) -> FALSE (7) <thread> : ? if (User-Name =~ [log in to unmask]*@/ ) -> FALSE (7) <thread> : ? if (User-Name =~ /\\.\\./ ) (7) <thread> : ? Evaluating (User-Name =~ /\\.\\./) -> FALSE (7) <thread> : ? if (User-Name =~ /\\.\\./ ) -> FALSE (7) <thread> : ? if (User-Name =~ /\\.$/) (7) <thread> : ? Evaluating (User-Name =~ /\\.$/) -> FALSE (7) <thread> : ? if (User-Name =~ /\\.$/) -> FALSE (7) <thread> : ? if (User-Name =~ /@\\./) (7) <thread> : ? Evaluating (User-Name =~ /@\\./) -> FALSE (7) <thread> : ? if (User-Name =~ /@\\./) -> FALSE (7) <thread> : - policy filter_username returns notfound (7) [preprocess] = ok (7) [chap] = noop (7) [mschap] = noop (7) [digest] = noop (7) suffix : Looking up realm "local" for User-Name = "@local" (7) suffix : Found realm "LOCAL" (7) suffix : Adding Stripped-User-Name = "" (7) suffix : Adding Realm = "LOCAL" (7) suffix : Authentication realm is LOCAL. (7) [suffix] = ok (7) eap : EAP packet type response id 0 length 11 (7) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (7) [eap] = ok (7) Found Auth-Type = EAP (7) # Executing group from file /etc/freeradius/sites-enabled/default (7) group authenticate { (7) - entering group authenticate {...} (7) eap : EAP Identity (7) eap : processing type ttls (7) ttls : Initiate (7) ttls : Start returned 1 (7) eap : New EAP session, adding 'State' attribute to reply 0x28fa568e28fb4330 (7) [eap] = handled Sending Access-Challenge of id 0 from 0.0.0.0 port 2083 to 127.0.0.1 port 58840 EAP-Message = 0x010100061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x28fa568e28fb433021687027c00030ca (7) Finished request 7. Thread 3 waiting to be assigned a request Waking up in 0.3 seconds. (0) Application data status 7 (0) tls_recv: Access-Request packet from host 127.0.0.1 port 58840, id=0, length=145 (7) Cleaning up request packet ID 0 with timestamp +6 Thread 2 got semaphore Thread 2 handling request 8, (2 handled so far) User-Name = "@local" X-Ascend-FR-DCE-N393 = 1752134516 Attr-165 = 0x6d6f6f6e2d73657276 EAP-Message = 0x0201003e150016030100330100002f030151ac7abcc32f85b420319d099d6352bfdc4ab54892c83e82b6bf39add4519f05000008002f000a000500040100 State = 0x28fa568e28fb433021687027c00030ca Message-Authenticator = 0x7f2f77aec95054645fec6fcd56ac46ac (8) <thread> : # Executing section authorize from file /etc/freeradius/sites-enabled/default (8) <thread> : group authorize { (8) <thread> : - entering group authorize {...} (8) <thread> : policy filter_username { (8) <thread> : - entering policy filter_username {...} (8) <thread> : ? if (User-Name != "%{tolower:%{User-Name}}") (8) <thread> : expand: '%{User-Name}' -> '@local' (8) <thread> : expand: '%{tolower:%{User-Name}}' -> '@local' (8) <thread> : ? Evaluating (User-Name != "%{tolower:%{User-Name}}") -> FALSE (8) <thread> : ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (8) <thread> : ? if (User-Name =~ / /) (8) <thread> : ? Evaluating (User-Name =~ / /) -> FALSE (8) <thread> : ? if (User-Name =~ / /) -> FALSE (8) <thread> : ? if (User-Name =~ [log in to unmask]*@/ ) (8) <thread> : ? Evaluating (User-Name =~ [log in to unmask]*@/) -> FALSE (8) <thread> : ? if (User-Name =~ [log in to unmask]*@/ ) -> FALSE (8) <thread> : ? if (User-Name =~ /\\.\\./ ) (8) <thread> : ? Evaluating (User-Name =~ /\\.\\./) -> FALSE (8) <thread> : ? if (User-Name =~ /\\.\\./ ) -> FALSE (8) <thread> : ? if (User-Name =~ /\\.$/) (8) <thread> : ? Evaluating (User-Name =~ /\\.$/) -> FALSE (8) <thread> : ? if (User-Name =~ /\\.$/) -> FALSE (8) <thread> : ? if (User-Name =~ /@\\./) (8) <thread> : ? Evaluating (User-Name =~ /@\\./) -> FALSE (8) <thread> : ? if (User-Name =~ /@\\./) -> FALSE (8) <thread> : - policy filter_username returns notfound (8) [preprocess] = ok (8) [chap] = noop (8) [mschap] = noop (8) [digest] = noop (8) suffix : Looking up realm "local" for User-Name = "@local" (8) suffix : Found realm "LOCAL" (8) suffix : Adding Stripped-User-Name = "" (8) suffix : Adding Realm = "LOCAL" (8) suffix : Authentication realm is LOCAL. (8) [suffix] = ok (8) eap : EAP packet type response id 1 length 62 (8) eap : Continuing tunnel setup. (8) [eap] = ok (8) Found Auth-Type = EAP (8) # Executing group from file /etc/freeradius/sites-enabled/default (8) group authenticate { (8) - entering group authenticate {...} (8) eap : Expiring EAP session with state 0x28fa568e28fb4330 (8) eap : Finished EAP session with state 0x28fa568e28fb4330 (8) eap : Previous EAP request found for state 0x28fa568e28fb4330, released from the list (8) eap : EAP/ttls (8) eap : processing type ttls (8) ttls : Authenticate (8) ttls : processing EAP-TLS (8) ttls : eaptls_verify returned 7 (8) ttls : Done initial handshake (8) ttls : (other): before/accept initialization (8) ttls : TLS_accept: before/accept initialization (8) ttls : <<< TLS 1.0 Handshake [length 0033], ClientHello (8) ttls : TLS_accept: SSLv3 read client hello A (8) ttls : >>> TLS 1.0 Handshake [length 004a], ServerHello (8) ttls : TLS_accept: SSLv3 write server hello A (8) ttls : >>> TLS 1.0 Handshake [length 085e], Certificate (8) ttls : TLS_accept: SSLv3 write certificate A (8) ttls : >>> TLS 1.0 Handshake [length 0004], ServerHelloDone (8) ttls : TLS_accept: SSLv3 write server done A (8) ttls : TLS_accept: SSLv3 flush data (8) ttls : TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode (8) ttls : eaptls_process returned 13 (8) eap : New EAP session, adding 'State' attribute to reply 0x28fa568e29f84330 (8) [eap] = handled Sending Access-Challenge of id 0 from 0.0.0.0 port 2083 to 127.0.0.1 port 58840 EAP-Message = 0x010203ec15c0000008bb160301004a02000046030151ac7abc85177fdcac70b448e92458da737130bc5c6f3def76fe43569bbaadef203f7fcd9238b3eeab539d61ecb39154154a584d17ac4ce5e641f055bf071581f2002f00160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406035504 EAP-Message = 0x03131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3133303533303134313130375a170d3134303533303134313130375a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100a993f208d657dbf11bb1346873657c260f9a741393b5cff3e23ae663c38f EAP-Message = 0xd82acb9faa77c012e7b92c30ba94d96c791c99e6636585b54f61324903da1cb93d72f6bfee05d41c708084bd0a94221367ac9415c29d1a83c28b2ca91d3b4dadc7eeb131936f695499aeac4ca2a723f3beed7b3f8be68e9d07b047ba546ce9cbe139ee1dc674950fb38ae5648ab151f1fee161e51d9bb9c516b9c1a2957f1dd7817d074f1bbb1cff90442ffde9be39ec71e6cfba0a4b435f0833b55cd18d8ce1f63f6978e1ac79e627f10b7f302f38769f52d59292d82deb69a4225788b6690f584d0034f27a285393bff81ed4f0fe9637c88f42a72a3b0a8d2d1b982e2e4d39b3a10203010001a317301530130603551d25040c300a06082b06010505 EAP-Message = 0x070301300d06092a864886f70d01010505000382010100b4809b4d8459576abeabea0ddf87501401c152f5ef8f0b045ab337b5f235ae06a40a700b9a4ce0f7a4a6b6558721a08befc1462fffd9667c9da796412252b19d0560923a1aaec15020fd3835392dca2c843bb194bf52dca206054209d20f9232a7990bf6bb8f1c05196d472b0775b5b11c49022b0a360768c07b4367d0970a308b14adb42512cfed2352fd936a389efb998a30214baa8b582bde1e08c352a4890811f40b1857ea16c0e98e19c2f07f8b21dcb5f4b77145cb904d2460fa70be1bfc08903e5af2078a0d34457d581bd6116886b7059b136972eeaaff0f607a Message-Authenticator = 0x00000000000000000000000000000000 State = 0x28fa568e29f8433021687027c00030ca (8) Finished request 8. Thread 2 waiting to be assigned a request Waking up in 0.3 seconds. (0) Application data status 7 (0) tls_recv: Access-Request packet from host 127.0.0.1 port 58840, id=0, length=89 (8) Cleaning up request packet ID 0 with timestamp +6 Thread 5 got semaphore Thread 5 handling request 9, (3 handled so far) User-Name = "@local" X-Ascend-FR-DCE-N393 = 1752134516 Attr-165 = 0x6d6f6f6e2d73657276 EAP-Message = 0x020200061500 State = 0x28fa568e29f8433021687027c00030ca Message-Authenticator = 0x04fb13cd38000a30aca3bc8adb069589 (9) <thread> : # Executing section authorize from file /etc/freeradius/sites-enabled/default (9) <thread> : group authorize { (9) <thread> : - entering group authorize {...} (9) <thread> : policy filter_username { (9) <thread> : - entering policy filter_username {...} (9) <thread> : ? if (User-Name != "%{tolower:%{User-Name}}") (9) <thread> : expand: '%{User-Name}' -> '@local' (9) <thread> : expand: '%{tolower:%{User-Name}}' -> '@local' (9) <thread> : ? Evaluating (User-Name != "%{tolower:%{User-Name}}") -> FALSE (9) <thread> : ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (9) <thread> : ? if (User-Name =~ / /) (9) <thread> : ? Evaluating (User-Name =~ / /) -> FALSE (9) <thread> : ? if (User-Name =~ / /) -> FALSE (9) <thread> : ? if (User-Name =~ [log in to unmask]*@/ ) (9) <thread> : ? Evaluating (User-Name =~ [log in to unmask]*@/) -> FALSE (9) <thread> : ? if (User-Name =~ [log in to unmask]*@/ ) -> FALSE (9) <thread> : ? if (User-Name =~ /\\.\\./ ) (9) <thread> : ? Evaluating (User-Name =~ /\\.\\./) -> FALSE (9) <thread> : ? if (User-Name =~ /\\.\\./ ) -> FALSE (9) <thread> : ? if (User-Name =~ /\\.$/) (9) <thread> : ? Evaluating (User-Name =~ /\\.$/) -> FALSE (9) <thread> : ? if (User-Name =~ /\\.$/) -> FALSE (9) <thread> : ? if (User-Name =~ /@\\./) (9) <thread> : ? Evaluating (User-Name =~ /@\\./) -> FALSE (9) <thread> : ? if (User-Name =~ /@\\./) -> FALSE (9) <thread> : - policy filter_username returns notfound (9) [preprocess] = ok (9) [chap] = noop (9) [mschap] = noop (9) [digest] = noop (9) suffix : Looking up realm "local" for User-Name = "@local" (9) suffix : Found realm "LOCAL" (9) suffix : Adding Stripped-User-Name = "" (9) suffix : Adding Realm = "LOCAL" (9) suffix : Authentication realm is LOCAL. (9) [suffix] = ok (9) eap : EAP packet type response id 2 length 6 (9) eap : Continuing tunnel setup. (9) [eap] = ok (9) Found Auth-Type = EAP (9) # Executing group from file /etc/freeradius/sites-enabled/default (9) group authenticate { (9) - entering group authenticate {...} (9) eap : Expiring EAP session with state 0x28fa568e29f84330 (9) eap : Finished EAP session with state 0x28fa568e29f84330 (9) eap : Previous EAP request found for state 0x28fa568e29f84330, released from the list (9) eap : EAP/ttls (9) eap : processing type ttls (9) ttls : Authenticate (9) ttls : processing EAP-TLS (9) ttls : Received TLS ACK (9) ttls : Received TLS ACK (9) ttls : ACK handshake fragment handler (9) ttls : eaptls_verify returned 1 (9) ttls : eaptls_process returned 13 (9) eap : New EAP session, adding 'State' attribute to reply 0x28fa568e2af94330 (9) [eap] = handled Sending Access-Challenge of id 0 from 0.0.0.0 port 2083 to 127.0.0.1 port 58840 EAP-Message = 0x010303ec15c0000008bb93fcaded1ec36a99b78bdef5337a5a1e295f1f8cbf91e73ff8781af8475966e1dac90004ab308204a73082038fa003020102020900e3bdffa7131f5e6a300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3133303533303134313130375a EAP-Message = 0x170d3134303533303134313130375a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100d5ea9c8daf3e209f46be890bd2e10399996255c5bc4c03a0311d9bf5c5ced1b53d45fb83317e691ea0c6f16b1bc26da8e088f3f08ada7c EAP-Message = 0xcef1132f8927c0d21ab68a1f4d2bcce9bccf9d83f3040074ff0e95df381d185e55ec372430385d413e0a76ccf97348995e194dc66b4bfa7f6519a9d3f35b12c597ebd23e740af83506a253fad09db7bd2ea3b83d3e2de6473daec11a0ca6ca220c08b5e2e9fde0f74c4a3c9afc84559708c8ffb66e6ed870798169865fb69fc2f5a7b82b178a5d6de806aed15bce4da4cd907287b85d38bb1ac8b7fe118029a5ca89f6c18ec2b8812e50a94e7632d5f552fd80674ee243ebd369c69b665b06089c438d3cfc2b9d022d0203010001a381fb3081f8301d0603551d0e041604144bc9ef9fa77920584ee92214be643e1a5974e2233081c80603551d230481 EAP-Message = 0xc03081bd80144bc9ef9fa77920584ee92214be643e1a5974e223a18199a48196308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900e3bdffa7131f5e6a300c0603551d13040530030101ff300d06092a864886f70d0101050500038201010003f0b6fb1cc5dc0fb49e4f088643ec34c2bb Message-Authenticator = 0x00000000000000000000000000000000 State = 0x28fa568e2af9433021687027c00030ca (9) Finished request 9. Thread 5 waiting to be assigned a request Waking up in 0.3 seconds. (0) Application data status 7 (0) tls_recv: Access-Request packet from host 127.0.0.1 port 58840, id=0, length=89 (9) Cleaning up request packet ID 0 with timestamp +6 Thread 4 got semaphore Thread 4 handling request 10, (3 handled so far) User-Name = "@local" X-Ascend-FR-DCE-N393 = 1752134516 Attr-165 = 0x6d6f6f6e2d73657276 EAP-Message = 0x020300061500 State = 0x28fa568e2af9433021687027c00030ca Message-Authenticator = 0x4cd6ee0433986c30c3224162cbaed513 (10) <thread> : # Executing section authorize from file /etc/freeradius/sites-enabled/default (10) <thread> : group authorize { (10) <thread> : - entering group authorize {...} (10) <thread> : policy filter_username { (10) <thread> : - entering policy filter_username {...} (10) <thread> : ? if (User-Name != "%{tolower:%{User-Name}}") (10) <thread> : expand: '%{User-Name}' -> '@local' (10) <thread> : expand: '%{tolower:%{User-Name}}' -> '@local' (10) <thread> : ? Evaluating (User-Name != "%{tolower:%{User-Name}}") -> FALSE (10) <thread> : ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (10) <thread> : ? if (User-Name =~ / /) (10) <thread> : ? Evaluating (User-Name =~ / /) -> FALSE (10) <thread> : ? if (User-Name =~ / /) -> FALSE (10) <thread> : ? if (User-Name =~ [log in to unmask]*@/ ) (10) <thread> : ? Evaluating (User-Name =~ [log in to unmask]*@/) -> FALSE (10) <thread> : ? if (User-Name =~ [log in to unmask]*@/ ) -> FALSE (10) <thread> : ? if (User-Name =~ /\\.\\./ ) (10) <thread> : ? Evaluating (User-Name =~ /\\.\\./) -> FALSE (10) <thread> : ? if (User-Name =~ /\\.\\./ ) -> FALSE (10) <thread> : ? if (User-Name =~ /\\.$/) (10) <thread> : ? Evaluating (User-Name =~ /\\.$/) -> FALSE (10) <thread> : ? if (User-Name =~ /\\.$/) -> FALSE (10) <thread> : ? if (User-Name =~ /@\\./) (10) <thread> : ? Evaluating (User-Name =~ /@\\./) -> FALSE (10) <thread> : ? if (User-Name =~ /@\\./) -> FALSE (10) <thread> : - policy filter_username returns notfound (10) [preprocess] = ok (10) [chap] = noop (10) [mschap] = noop (10) [digest] = noop (10) suffix : Looking up realm "local" for User-Name = "@local" (10) suffix : Found realm "LOCAL" (10) suffix : Adding Stripped-User-Name = "" (10) suffix : Adding Realm = "LOCAL" (10) suffix : Authentication realm is LOCAL. (10) [suffix] = ok (10) eap : EAP packet type response id 3 length 6 (10) eap : Continuing tunnel setup. (10) [eap] = ok (10) Found Auth-Type = EAP (10) # Executing group from file /etc/freeradius/sites-enabled/default (10) group authenticate { (10) - entering group authenticate {...} (10) eap : Expiring EAP session with state 0x28fa568e2af94330 (10) eap : Finished EAP session with state 0x28fa568e2af94330 (10) eap : Previous EAP request found for state 0x28fa568e2af94330, released from the list (10) eap : EAP/ttls (10) eap : processing type ttls (10) ttls : Authenticate (10) ttls : processing EAP-TLS (10) ttls : Received TLS ACK (10) ttls : Received TLS ACK (10) ttls : ACK handshake fragment handler (10) ttls : eaptls_verify returned 1 (10) ttls : eaptls_process returned 13 (10) eap : New EAP session, adding 'State' attribute to reply 0x28fa568e2bfe4330 (10) [eap] = handled Sending Access-Challenge of id 0 from 0.0.0.0 port 2083 to 127.0.0.1 port 58840 EAP-Message = 0x010401011580000008bb77cf2b6179633dfc14a708be43ee8e99ff69c82b00b9e976ba03769b750e1de50746da8c71dafeb0b6b3450bd2c716ad9083675251e0ebb18f1ad449400d88afd9339eb45578b8f3bed896192f81722e5859167baba7a3134b68a12f290215b293f3ef848663deb24f0358cb14282974d6bebbcba0c65cc4512de17e744ce9f72a0bb3ed8bd7fab96014e186e3f7bd4e5c891d6ce02fa2e4fdeda74f7cded4aafdd4947b4b41f724630b8b0c994e1ef947957ea66263b39a9e0ceab8ea6c58d39c7dcbd5d5f7fda8eceb565782ca6dd681d5a16f2651d743eacdb67db034d563a1104296a3d73a408cc7b2658bc61603010004 EAP-Message = 0x0e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x28fa568e2bfe433021687027c00030ca (10) Finished request 10. Thread 4 waiting to be assigned a request Waking up in 0.3 seconds. (0) Application data status 7 (0) tls_recv: Access-Request packet from host 127.0.0.1 port 58840, id=0, length=417 (10) Cleaning up request packet ID 0 with timestamp +6 Waking up in 0.3 seconds. Thread 1 got semaphore Thread 1 handling request 11, (2 handled so far) User-Name = "@local" X-Ascend-FR-DCE-N393 = 1752134516 Attr-165 = 0x6d6f6f6e2d73657276 EAP-Message = 0x0204014c1500160301010610000102010026c60a35cf9eb948cbe52216121fc33c6f5f526b78caa0fba31d3880090549ed8ab9c0ff2fbc972cbbe5ea089dd65d5107afbc7470da38fef28157774eada389c5b46e39aca8ca077448288bf1d86b32362dd0fcf11b7da8eaf3c6f87f7a677e18871582e72e76bee9f82f47b318c16107fb0f48490674fcac7c2218561029181dfda86a18840b2a9689f64029988852edb24786bba717b102797b6f5e3e2123db49d9520783986660742a5cde6a34ba743d4e80e7848ab451f3a290040608e4f1e7a6d123678e4dfd6593ebbabb14e172cbc39880d13e14b58f77d64ef9d78c0589a56287d98a24913e090b EAP-Message = 0xc5230ce1b7811928b0e273d232698dab3c6077c71403010001011603010030e1e1b18ff5220cba3dee3fd6c2ae2617a516db147c00bbbf73ad83a308d42e66771f16aece1345708bf6dc2803c6cb9b State = 0x28fa568e2bfe433021687027c00030ca Message-Authenticator = 0xaf6f76e0c61a104a839d69ba88cc5fa4 (11) <thread> : # Executing section authorize from file /etc/freeradius/sites-enabled/default (11) <thread> : group authorize { (11) <thread> : - entering group authorize {...} (11) <thread> : policy filter_username { (11) <thread> : - entering policy filter_username {...} (11) <thread> : ? if (User-Name != "%{tolower:%{User-Name}}") (11) <thread> : expand: '%{User-Name}' -> '@local' (11) <thread> : expand: '%{tolower:%{User-Name}}' -> '@local' (11) <thread> : ? Evaluating (User-Name != "%{tolower:%{User-Name}}") -> FALSE (11) <thread> : ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (11) <thread> : ? if (User-Name =~ / /) (11) <thread> : ? Evaluating (User-Name =~ / /) -> FALSE (11) <thread> : ? if (User-Name =~ / /) -> FALSE (11) <thread> : ? if (User-Name =~ [log in to unmask]*@/ ) (11) <thread> : ? Evaluating (User-Name =~ [log in to unmask]*@/) -> FALSE (11) <thread> : ? if (User-Name =~ [log in to unmask]*@/ ) -> FALSE (11) <thread> : ? if (User-Name =~ /\\.\\./ ) (11) <thread> : ? Evaluating (User-Name =~ /\\.\\./) -> FALSE (11) <thread> : ? if (User-Name =~ /\\.\\./ ) -> FALSE (11) <thread> : ? if (User-Name =~ /\\.$/) (11) <thread> : ? Evaluating (User-Name =~ /\\.$/) -> FALSE (11) <thread> : ? if (User-Name =~ /\\.$/) -> FALSE (11) <thread> : ? if (User-Name =~ /@\\./) (11) <thread> : ? Evaluating (User-Name =~ /@\\./) -> FALSE (11) <thread> : ? if (User-Name =~ /@\\./) -> FALSE (11) <thread> : - policy filter_username returns notfound (11) [preprocess] = ok (11) [chap] = noop (11) [mschap] = noop (11) [digest] = noop (11) suffix : Looking up realm "local" for User-Name = "@local" (11) suffix : Found realm "LOCAL" (11) suffix : Adding Stripped-User-Name = "" (11) suffix : Adding Realm = "LOCAL" (11) suffix : Authentication realm is LOCAL. (11) [suffix] = ok (11) eap : EAP packet type response id 4 length 253 (11) eap : Continuing tunnel setup. (11) [eap] = ok (11) Found Auth-Type = EAP (11) # Executing group from file /etc/freeradius/sites-enabled/default (11) group authenticate { (11) - entering group authenticate {...} (11) eap : Expiring EAP session with state 0x28fa568e2bfe4330 (11) eap : Finished EAP session with state 0x28fa568e2bfe4330 (11) eap : Previous EAP request found for state 0x28fa568e2bfe4330, released from the list (11) eap : EAP/ttls (11) eap : processing type ttls (11) ttls : Authenticate (11) ttls : processing EAP-TLS (11) ttls : eaptls_verify returned 7 (11) ttls : Done initial handshake (11) ttls : <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange (11) ttls : TLS_accept: SSLv3 read client key exchange A (11) ttls : <<< TLS 1.0 ChangeCipherSpec [length 0001] (11) ttls : <<< TLS 1.0 Handshake [length 0010], Finished (11) ttls : TLS_accept: SSLv3 read finished A (11) ttls : >>> TLS 1.0 ChangeCipherSpec [length 0001] (11) ttls : TLS_accept: SSLv3 write change cipher spec A (11) ttls : >>> TLS 1.0 Handshake [length 0010], Finished (11) ttls : TLS_accept: SSLv3 write finished A (11) ttls : TLS_accept: SSLv3 flush data SSL: adding session 3f7fcd9238b3eeab539d61ecb39154154a584d17ac4ce5e641f055bf071581f2 to cache (11) ttls : (other): SSL negotiation finished successfully SSL Connection Established (11) ttls : eaptls_process returned 13 (11) eap : New EAP session, adding 'State' attribute to reply 0x28fa568e2cff4330 (11) [eap] = handled Sending Access-Challenge of id 0 from 0.0.0.0 port 2083 to 127.0.0.1 port 58840 EAP-Message = 0x0105004515800000003b14030100010116030100304e4e8d049c4af373f586c331a49164c3d58b468026f99d39a51524f2cb3e7d90f35eb0c6af71b5cebc4ae4b5ef2091c4 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x28fa568e2cff433021687027c00030ca (0) Application data status 7 (0) tls_recv: Access-Request packet from host 127.0.0.1 port 58840, id=0, length=142 (11) Waiting for child thread to stop Waking up in 0.2 seconds. Thread 3 got semaphore Thread 3 handling request 12, (3 handled so far) User-Name = "@local" X-Ascend-FR-DCE-N393 = 1752134516 Attr-165 = 0x6d6f6f6e2d73657276 EAP-Message = 0x0205003b15001703010030959489a5598d9fa05adfe2daee1c18292a5918d3325789e04d83fe0ce9083aa20caee3ee8090cc51c9be5dd595a9daa4 State = 0x28fa568e2cff433021687027c00030ca Message-Authenticator = 0xc47489fb3839af51207d9f8a33d08901 (12) <thread> : # Executing section authorize from file /etc/freeradius/sites-enabled/default (12) <thread> : group authorize { (12) <thread> : - entering group authorize {...} (12) <thread> : policy filter_username { (12) <thread> : - entering policy filter_username {...} (12) <thread> : ? if (User-Name != "%{tolower:%{User-Name}}") (12) <thread> : expand: '%{User-Name}' -> '@local' (12) <thread> : expand: '%{tolower:%{User-Name}}' -> '@local' (12) <thread> : ? Evaluating (User-Name != "%{tolower:%{User-Name}}") -> FALSE (12) <thread> : ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (12) <thread> : ? if (User-Name =~ / /) (12) <thread> : ? Evaluating (User-Name =~ / /) -> FALSE (12) <thread> : ? if (User-Name =~ / /) -> FALSE (12) <thread> : ? if (User-Name =~ [log in to unmask]*@/ ) (12) <thread> : ? Evaluating (User-Name =~ [log in to unmask]*@/) -> FALSE (12) <thread> : ? if (User-Name =~ [log in to unmask]*@/ ) -> FALSE (12) <thread> : ? if (User-Name =~ /\\.\\./ ) (12) <thread> : ? Evaluating (User-Name =~ /\\.\\./) -> FALSE (12) <thread> : ? if (User-Name =~ /\\.\\./ ) -> FALSE (12) <thread> : ? if (User-Name =~ /\\.$/) (12) <thread> : ? Evaluating (User-Name =~ /\\.$/) -> FALSE (12) <thread> : ? if (User-Name =~ /\\.$/) -> FALSE (12) <thread> : ? if (User-Name =~ /@\\./) (12) <thread> : ? Evaluating (User-Name =~ /@\\./) -> FALSE (12) <thread> : ? if (User-Name =~ /@\\./) -> FALSE (12) <thread> : - policy filter_username returns notfound (12) [preprocess] = ok (12) [chap] = noop (12) [mschap] = noop (12) [digest] = noop (12) suffix : Looking up realm "local" for User-Name = "@local" (12) suffix : Found realm "LOCAL" (12) suffix : Adding Stripped-User-Name = "" (12) suffix : Adding Realm = "LOCAL" (12) suffix : Authentication realm is LOCAL. (12) [suffix] = ok (12) eap : EAP packet type response id 5 length 59 (12) eap : Continuing tunnel setup. (12) [eap] = ok (12) Found Auth-Type = EAP (12) # Executing group from file /etc/freeradius/sites-enabled/default (12) group authenticate { (12) - entering group authenticate {...} (12) eap : Expiring EAP session with state 0x28fa568e2cff4330 (12) eap : Finished EAP session with state 0x28fa568e2cff4330 (12) eap : Previous EAP request found for state 0x28fa568e2cff4330, released from the list (12) eap : EAP/ttls (12) eap : processing type ttls (12) ttls : Authenticate (12) ttls : processing EAP-TLS (12) ttls : eaptls_verify returned 7 (12) ttls : Done initial handshake (12) ttls : eaptls_process returned 7 (12) ttls : Session established. Proceeding to decode tunneled attributes. (12) ttls : Got tunneled request EAP-Message = 0x02000010017374657665406c6f63616c FreeRADIUS-Proxied-To = 127.0.0.1 (12) ttls : Got tunneled identity of steve@local (12) ttls : Setting default EAP type for tunneled EAP session. (12) ttls : Sending tunneled request EAP-Message = 0x02000010017374657665406c6f63616c FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "steve@local" server inner-tunnel { (12) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel (12) group authorize { (12) - entering group authorize {...} (12) [chap] = noop (12) [mschap] = noop (12) suffix : Looking up realm "local" for User-Name = "steve@local" (12) suffix : Found realm "LOCAL" (12) suffix : Adding Stripped-User-Name = "steve" (12) suffix : Adding Realm = "LOCAL" (12) suffix : Authentication realm is LOCAL. (12) [suffix] = ok (12) update control { (12) } # update control = ok (12) eap : EAP packet type response id 0 length 16 (12) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (12) [eap] = ok (12) Found Auth-Type = EAP (12) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (12) group authenticate { (12) - entering group authenticate {...} (12) eap : EAP Identity (12) eap : processing type md5 rlm_eap_md5: Issuing Challenge (12) eap : New EAP session, adding 'State' attribute to reply 0x3dddb3353ddcb7c4 (12) [eap] = handled } # server inner-tunnel (12) ttls : Got tunneled reply code 11 EAP-Message = 0x0101001604103814a88df7881b538dfdff12a32cee88 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3dddb3353ddcb7c4d0a0f845866d8e6f (12) ttls : Got tunneled Access-Challenge (12) eap : New EAP session, adding 'State' attribute to reply 0x28fa568e2dfc4330 (12) [eap] = handled Sending Access-Challenge of id 0 from 0.0.0.0 port 2083 to 127.0.0.1 port 58840 EAP-Message = 0x0106004f1580000000451703010040f61bda8f4f71fa78eef593c026219ea4976733338f986e846d66af31f355afde3209debbc4c264cfb3f33590d96c4773f5c22f64d6aad9ab9dffa123288381e6 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x28fa568e2dfc433021687027c00030ca (12) Finished request 12. Thread 3 waiting to be assigned a request (0) Application data status 7 (0) tls_recv: Access-Request packet from host 127.0.0.1 port 58840, id=0, length=158 (12) Cleaning up request packet ID 0 with timestamp +6 Waking up in 0.2 seconds. Thread 2 got semaphore Thread 2 handling request 13, (3 handled so far) User-Name = "@local" X-Ascend-FR-DCE-N393 = 1752134516 Attr-165 = 0x6d6f6f6e2d73657276 EAP-Message = 0x0206004b15001703010040a0232e7e8cd3f31285f0cc2137837d9341a6417c1aa08cc4ca98af8f3e16b99661bc02288d020e372f8217ed414a6c0d8b146c398f12e7b76c2744b4eb2164e4 State = 0x28fa568e2dfc433021687027c00030ca Message-Authenticator = 0x3defb45a87b27e436b7c70bbe02a48bb (13) <thread> : # Executing section authorize from file /etc/freeradius/sites-enabled/default (13) <thread> : group authorize { (13) <thread> : - entering group authorize {...} (13) <thread> : policy filter_username { (13) <thread> : - entering policy filter_username {...} (13) <thread> : ? if (User-Name != "%{tolower:%{User-Name}}") (13) <thread> : expand: '%{User-Name}' -> '@local' (13) <thread> : expand: '%{tolower:%{User-Name}}' -> '@local' (13) <thread> : ? Evaluating (User-Name != "%{tolower:%{User-Name}}") -> FALSE (13) <thread> : ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (13) <thread> : ? if (User-Name =~ / /) (13) <thread> : ? Evaluating (User-Name =~ / /) -> FALSE (13) <thread> : ? if (User-Name =~ / /) -> FALSE (13) <thread> : ? if (User-Name =~ [log in to unmask]*@/ ) (13) <thread> : ? Evaluating (User-Name =~ [log in to unmask]*@/) -> FALSE (13) <thread> : ? if (User-Name =~ [log in to unmask]*@/ ) -> FALSE (13) <thread> : ? if (User-Name =~ /\\.\\./ ) (13) <thread> : ? Evaluating (User-Name =~ /\\.\\./) -> FALSE (13) <thread> : ? if (User-Name =~ /\\.\\./ ) -> FALSE (13) <thread> : ? if (User-Name =~ /\\.$/) (13) <thread> : ? Evaluating (User-Name =~ /\\.$/) -> FALSE (13) <thread> : ? if (User-Name =~ /\\.$/) -> FALSE (13) <thread> : ? if (User-Name =~ /@\\./) (13) <thread> : ? Evaluating (User-Name =~ /@\\./) -> FALSE (13) <thread> : ? if (User-Name =~ /@\\./) -> FALSE (13) <thread> : - policy filter_username returns notfound (13) [preprocess] = ok (13) [chap] = noop (13) [mschap] = noop (13) [digest] = noop (13) suffix : Looking up realm "local" for User-Name = "@local" (13) suffix : Found realm "LOCAL" (13) suffix : Adding Stripped-User-Name = "" (13) suffix : Adding Realm = "LOCAL" (13) suffix : Authentication realm is LOCAL. (13) [suffix] = ok (13) eap : EAP packet type response id 6 length 75 (13) eap : Continuing tunnel setup. (13) [eap] = ok (13) Found Auth-Type = EAP (13) # Executing group from file /etc/freeradius/sites-enabled/default (13) group authenticate { (13) - entering group authenticate {...} (13) eap : Expiring EAP session with state 0x3dddb3353ddcb7c4 (13) eap : Finished EAP session with state 0x28fa568e2dfc4330 (13) eap : Previous EAP request found for state 0x28fa568e2dfc4330, released from the list (13) eap : EAP/ttls (13) eap : processing type ttls (13) ttls : Authenticate (13) ttls : processing EAP-TLS (13) ttls : eaptls_verify returned 7 (13) ttls : Done initial handshake (13) ttls : eaptls_process returned 7 (13) ttls : Session established. Proceeding to decode tunneled attributes. (13) ttls : Got tunneled request EAP-Message = 0x02010016041090b94bfba6739be0f61dd14d2df199a2 FreeRADIUS-Proxied-To = 127.0.0.1 (13) ttls : Sending tunneled request EAP-Message = 0x02010016041090b94bfba6739be0f61dd14d2df199a2 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "steve@local" State = 0x3dddb3353ddcb7c4d0a0f845866d8e6f server inner-tunnel { (13) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel (13) group authorize { (13) - entering group authorize {...} (13) [chap] = noop (13) [mschap] = noop (13) suffix : Looking up realm "local" for User-Name = "steve@local" (13) suffix : Found realm "LOCAL" (13) suffix : Adding Stripped-User-Name = "steve" (13) suffix : Adding Realm = "LOCAL" (13) suffix : Authentication realm is LOCAL. (13) [suffix] = ok (13) update control { (13) } # update control = ok (13) eap : EAP packet type response id 1 length 22 (13) eap : No EAP Start, assuming it's an on-going EAP conversation (13) [eap] = updated (13) files : users: Matched entry steve at line 76 (13) [files] = ok (13) [expiration] = noop (13) [logintime] = noop (13) WARNING: pap : Auth-Type already set. Not setting to PAP (13) [pap] = noop (13) Found Auth-Type = EAP (13) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (13) group authenticate { (13) - entering group authenticate {...} (13) eap : Expiring EAP session with state 0x3dddb3353ddcb7c4 (13) eap : Finished EAP session with state 0x3dddb3353ddcb7c4 (13) eap : Previous EAP request found for state 0x3dddb3353ddcb7c4, released from the list (13) eap : EAP/md5 (13) eap : processing type md5 (13) eap : Freeing handler (13) [eap] = ok (13) WARNING: Empty post-auth section. Using default return values. (13) # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel } # server inner-tunnel (13) ttls : Got tunneled reply code 2 EAP-Message = 0x03010004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "steve" (13) ttls : Got tunneled Access-Accept (13) ttls : Saving session 3f7fcd9238b3eeab539d61ecb39154154a584d17ac4ce5e641f055bf071581f2 vps 0x8f9ecd0 in the cache (13) eap : Freeing handler rlm_eap_ttls: Freeing handler for user steve@local (13) [eap] = ok (13) # Executing section post-auth from file /etc/freeradius/sites-enabled/default (13) group post-auth { (13) - entering group post-auth {...} (13) [exec] = noop (13) policy remove_reply_message_if_eap { (13) - entering policy remove_reply_message_if_eap {...} (13) ? if (reply:EAP-Message && reply:Reply-Message) (13) ? Evaluating (reply:EAP-Message ) -> TRUE (13) ? Evaluating (reply:Reply-Message) -> FALSE (13) ? if (reply:EAP-Message && reply:Reply-Message) -> FALSE (13) else else { (13) - entering else else {...} (13) [noop] = noop (13) - else else returns noop (13) - policy remove_reply_message_if_eap returns noop Sending Access-Accept of id 0 from 0.0.0.0 port 2083 to 127.0.0.1 port 58840 MS-MPPE-Recv-Key = 0xa186824e62dc0263969afd340e8226ebac0f192613636059a6bd6ea6aeb1110f MS-MPPE-Send-Key = 0x41e16c84d12747a5f5d80c7ea2917bb7d3f074ebc7f17ef55b63f83b996448a2 Attr-26.6.122.4 = 0x1551ac7abcc32f85b420319d099d6352bfdc4ab54892c83e82b6bf39add4519f0551ac7abc85177fdcac70b448e92458da737130bc5c6f3def76fe43569bbaadef EAP-Message = 0x03060004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "" WARNING: Skipping zero-length attribute User-Name (13) Finished request 13. Thread 2 waiting to be assigned a request Client has closed connection (13) Cleaning up request packet ID 0 with timestamp +6 ... closing socket authentication from client (127.0.0.1, 58840) -> (*, 2083) Waking up in 0.2 seconds. (11) Finished request 11. Thread 1 waiting to be assigned a request (4) Cleaning up request packet ID -1 with timestamp +6 Aborted -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom