продолжение(4) Received Access-Request Id 2 from 10.8.150.118:1645 to 10.70.42.77:1645 length 305
(4) User-Name = "host/WNAMTest.stand.ru"
(4) Service-Type = Framed-User
(4) Framed-MTU = 1504
(4) Called-Station-Id = "00-17-E0-1C-15-87"
(4) Calling-Station-Id = "00-E0-4C-31-0E-67"
(4) EAP-Message = 0x0205008819800000007e1603030046100000424104a7375d5a0b4cab49e9fec1125a800f8a23c26057dfd1f42d8ed06d30fc26a0ea775bafbe3e498651218316b113d020f7acf8c30b2a28774e6ca313eb61c6342714030300010116030300280000000000000000af23d74f75fbe62067fe01739e17ce88600ae6f610789121a25b0f666b425f6f
(4) Message-Authenticator = 0x399081e9a1a5c11037d7dc6d3b08bc65
(4) NAS-Port-Type = Ethernet
(4) NAS-Port = 50005
(4) NAS-Port-Id = "FastEthernet0/5"
(4) State = 0x8e1144788d145d5aaaf63b261b53a370
(4) NAS-IP-Address = 10.8.150.118
(4) session-state: No cached attributes
(4) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(4) authorize {
(4) policy filter_username {
(4) if (&User-Name) {
(4) if (&User-Name) -> TRUE
(4) if (&User-Name) {
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@[^@]*@/ ) {
(4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /@\./) {
(4) if (&User-Name =~ /@\./) -> FALSE
(4) } # if (&User-Name) = notfound
(4) } # policy filter_username = notfound
(4) [chap] = noop
(4) [mschap] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "host/WNAMTest.stand.ru", looking up realm NULL
(4) suffix: No such realm "NULL"
(4) [suffix] = noop
(4) update control {
(4) &Proxy-To-Realm := LOCAL
(4) } # update control = noop
(4) eap: Peer sent EAP Response (code 2) ID 5 length 136
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(4) authenticate {
(4) eap: Expiring EAP session with state 0x8e1144788d145d5a
(4) eap: Finished EAP session with state 0x8e1144788d145d5a
(4) eap: Previous EAP request found for state 0x8e1144788d145d5a, released from the list
(4) eap: Peer sent packet with method EAP PEAP (25)
(4) eap: Calling submodule eap_peap to process data
(4) eap_peap: Continuing EAP-TLS
(4) eap_peap: Peer indicated complete TLS record size will be 126 bytes
(4) eap_peap: Got complete TLS record (126 bytes)
(4) eap_peap: [eaptls verify] = length included
(4) eap_peap: TLS_accept: SSLv3/TLS write server done
(4) eap_peap: <<< recv TLS 1.2 [length 0046]
(4) eap_peap: TLS_accept: SSLv3/TLS read client key exchange
(4) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec
(4) eap_peap: <<< recv TLS 1.2 [length 0010]
(4) eap_peap: TLS_accept: SSLv3/TLS read finished
(4) eap_peap: >>> send TLS 1.2 [length 0001]
(4) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec
(4) eap_peap: >>> send TLS 1.2 [length 0010]
(4) eap_peap: TLS_accept: SSLv3/TLS write finished
(4) eap_peap: (other): SSL negotiation finished successfully
(4) eap_peap: TLS - Connection Established
(4) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(4) eap_peap: TLS-Session-Version = "TLS 1.2"
(4) eap_peap: TLS - got 51 bytes of data
(4) eap_peap: [eaptls process] = handled
(4) eap: Sending EAP Request (code 1) ID 6 length 57
(4) eap: EAP session adding &reply:State = 0x8e1144788a175d5a
(4) [eap] = handled
(4) } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) Post-Auth-Type sub-section not found. Ignoring.
(4) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(4) session-state: Saving cached attributes
(4) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(4) TLS-Session-Version = "TLS 1.2"
(4) Sent Access-Challenge Id 2 from 10.70.42.77:1645 to 10.8.150.118:1645 length 0
(4) EAP-Message = 0x01060039190014030300010116030300289251a406bf3dbfb03724ace561a3dd1a3295ed2c4d17b05d85670ecad49cb5873a6f8eb092810370
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x8e1144788a175d5aaaf63b261b53a370
(4) Finished request
Waking up in 4.8 seconds.
(5) Received Access-Request Id 3 from 10.8.150.118:1645 to 10.70.42.77:1645 length 175
(5) User-Name = "host/WNAMTest.stand.ru"
(5) Service-Type = Framed-User
(5) Framed-MTU = 1504
(5) Called-Station-Id = "00-17-E0-1C-15-87"
(5) Calling-Station-Id = "00-E0-4C-31-0E-67"
(5) EAP-Message = 0x020600061900
(5) Message-Authenticator = 0x325b51a8e67ce86e0d4401a06a1cadba
(5) NAS-Port-Type = Ethernet
(5) NAS-Port = 50005
(5) NAS-Port-Id = "FastEthernet0/5"
(5) State = 0x8e1144788a175d5aaaf63b261b53a370
(5) NAS-IP-Address = 10.8.150.118
(5) Restoring &session-state
(5) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(5) &session-state:TLS-Session-Version = "TLS 1.2"
(5) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(5) authorize {
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> TRUE
(5) if (&User-Name) {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@[^@]*@/ ) {
(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /@\./) {
(5) if (&User-Name =~ /@\./) -> FALSE
(5) } # if (&User-Name) = notfound
(5) } # policy filter_username = notfound
(5) [chap] = noop
(5) [mschap] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "host/WNAMTest.stand.ru", looking up realm NULL
(5) suffix: No such realm "NULL"
(5) [suffix] = noop
(5) update control {
(5) &Proxy-To-Realm := LOCAL
(5) } # update control = noop
(5) eap: Peer sent EAP Response (code 2) ID 6 length 6
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(5) authenticate {
(5) eap: Expiring EAP session with state 0x8e1144788a175d5a
(5) eap: Finished EAP session with state 0x8e1144788a175d5a
(5) eap: Previous EAP request found for state 0x8e1144788a175d5a, released from the list
(5) eap: Peer sent packet with method EAP PEAP (25)
(5) eap: Calling submodule eap_peap to process data
(5) eap_peap: Continuing EAP-TLS
(5) eap_peap: Peer ACKed our handshake fragment. handshake is finished
(5) eap_peap: [eaptls verify] = success
(5) eap_peap: [eaptls process] = success
(5) eap_peap: Session established. Decoding tunneled attributes
(5) eap_peap: PEAP state TUNNEL ESTABLISHED
(5) eap: Sending EAP Request (code 1) ID 7 length 40
(5) eap: EAP session adding &reply:State = 0x8e1144788b165d5a
(5) [eap] = handled
(5) } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) Post-Auth-Type sub-section not found. Ignoring.
(5) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(5) session-state: Saving cached attributes
(5) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(5) TLS-Session-Version = "TLS 1.2"
(5) Sent Access-Challenge Id 3 from 10.70.42.77:1645 to 10.8.150.118:1645 length 0
(5) EAP-Message = 0x010700281900170303001d9251a406bf3dbfb1c4883ad1165a072b12d250a2a4d4747b6748cd60ed
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0x8e1144788b165d5aaaf63b261b53a370
(5) Finished request
Waking up in 4.8 seconds.
(6) Received Access-Request Id 4 from 10.8.150.118:1645 to 10.70.42.77:1645 length 227
(6) User-Name = "host/WNAMTest.stand.ru"
(6) Service-Type = Framed-User
(6) Framed-MTU = 1504
(6) Called-Station-Id = "00-17-E0-1C-15-87"
(6) Calling-Station-Id = "00-E0-4C-31-0E-67"
(6) EAP-Message = 0x0207003a1900170303002f000000000000000155af9208b9017d53ad5ae04767876fbc5e85a534d96d067d5325b0772d3d76e28e379d081fb595
(6) Message-Authenticator = 0xac48ac31824eed7ee4ef2c0c7cea5934
(6) NAS-Port-Type = Ethernet
(6) NAS-Port = 50005
(6) NAS-Port-Id = "FastEthernet0/5"
(6) State = 0x8e1144788b165d5aaaf63b261b53a370
(6) NAS-IP-Address = 10.8.150.118
(6) Restoring &session-state
(6) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(6) &session-state:TLS-Session-Version = "TLS 1.2"
(6) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(6) authorize {
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /@\./) {
(6) if (&User-Name =~ /@\./) -> FALSE
(6) } # if (&User-Name) = notfound
(6) } # policy filter_username = notfound
(6) [chap] = noop
(6) [mschap] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "host/WNAMTest.stand.ru", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) update control {
(6) &Proxy-To-Realm := LOCAL
(6) } # update control = noop
(6) eap: Peer sent EAP Response (code 2) ID 7 length 58
(6) eap: Continuing tunnel setup
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(6) authenticate {
(6) eap: Expiring EAP session with state 0x8e1144788b165d5a
(6) eap: Finished EAP session with state 0x8e1144788b165d5a
(6) eap: Previous EAP request found for state 0x8e1144788b165d5a, released from the list
(6) eap: Peer sent packet with method EAP PEAP (25)
(6) eap: Calling submodule eap_peap to process data
(6) eap_peap: Continuing EAP-TLS
(6) eap_peap: [eaptls verify] = ok
(6) eap_peap: Done initial handshake
(6) eap_peap: [eaptls process] = ok
(6) eap_peap: Session established. Decoding tunneled attributes
(6) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(6) eap_peap: Identity - host/WNAMTest.stand.ru
(6) eap_peap: Got inner identity 'host/WNAMTest.stand.ru'
(6) eap_peap: Setting default EAP type for tunneled EAP session
(6) eap_peap: Got tunneled request
(6) eap_peap: EAP-Message = 0x0207001b01686f73742f574e414d546573742e7374616e642e7275
(6) eap_peap: Setting User-Name to host/WNAMTest.stand.ru
(6) eap_peap: Sending tunneled request to inner-tunnel
(6) eap_peap: EAP-Message = 0x0207001b01686f73742f574e414d546573742e7374616e642e7275
(6) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(6) eap_peap: User-Name = "host/WNAMTest.stand.ru"
(6) Virtual server inner-tunnel received request
(6) EAP-Message = 0x0207001b01686f73742f574e414d546573742e7374616e642e7275
(6) FreeRADIUS-Proxied-To = 127.0.0.1
(6) User-Name = "host/WNAMTest.stand.ru"
(6) WARNING: Outer and inner identities are the same. User privacy is compromised.
(6) server inner-tunnel {
(6) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(6) authorize {
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /@\./) {
(6) if (&User-Name =~ /@\./) -> FALSE
(6) } # if (&User-Name) = notfound
(6) } # policy filter_username = notfound
(6) [chap] = noop
(6) [mschap] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "host/WNAMTest.stand.ru", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) update control {
(6) &Proxy-To-Realm := LOCAL
(6) } # update control = noop
(6) eap: Peer sent EAP Response (code 2) ID 7 length 27
(6) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(6) authenticate {
(6) eap: Peer sent packet with method EAP Identity (1)
(6) eap: Calling submodule eap_mschapv2 to process data
(6) eap_mschapv2: Issuing Challenge
(6) eap: Sending EAP Request (code 1) ID 8 length 43
(6) eap: EAP session adding &reply:State = 0x80bfe1b680b7fb9c
(6) [eap] = handled
(6) } # authenticate = handled
(6) } # server inner-tunnel
(6) Virtual server sending reply
(6) EAP-Message = 0x0108002b1a01080026106912a9030f5003beda5b4dec2f6730a8667265657261646975732d332e302e3231
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0x80bfe1b680b7fb9c548551106d70804b
(6) eap_peap: Got tunneled reply code 11
(6) eap_peap: EAP-Message = 0x0108002b1a01080026106912a9030f5003beda5b4dec2f6730a8667265657261646975732d332e302e3231
(6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(6) eap_peap: State = 0x80bfe1b680b7fb9c548551106d70804b
(6) eap_peap: Got tunneled reply RADIUS code 11
(6) eap_peap: EAP-Message = 0x0108002b1a01080026106912a9030f5003beda5b4dec2f6730a8667265657261646975732d332e302e3231
(6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(6) eap_peap: State = 0x80bfe1b680b7fb9c548551106d70804b
(6) eap_peap: Got tunneled Access-Challenge
(6) eap: Sending EAP Request (code 1) ID 8 length 74
(6) eap: EAP session adding &reply:State = 0x8e11447888195d5a
(6) [eap] = handled
(6) } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) Post-Auth-Type sub-section not found. Ignoring.
(6) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(6) session-state: Saving cached attributes
(6) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(6) TLS-Session-Version = "TLS 1.2"
(6) Sent Access-Challenge Id 4 from 10.70.42.77:1645 to 10.8.150.118:1645 length 0
(6) EAP-Message = 0x0108004a1900170303003f9251a406bf3dbfb21ba0d54fc4fb678471339bd905a4d1efe72a529fbfa57ac4d537c3a217957d3ece4e5b8b66b75ccc379346f106da70cb435a9a8260dd81
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0x8e11447888195d5aaaf63b261b53a370
(6) Finished request
Waking up in 4.4 seconds.