Hi Guys,

iam trying to set up my mikrotik + freeradius to get my users in different groups

e.g:
SSID: WIRELESS
user-A = VLAN23
user-B = VLAN37

so, i think my freeradius setup is fine, i’ve added

Mikrotik_Wireless_VLANID =* ANY,
Mikrotik_Wireless_VLANIDTYPE =* ANY

to /mods-config/attr_filter/post-proxy

(user attributes are set via Groups in the SQL table)
and i have

ATTRIBUTE       MIKROTIK_WIRELESS_VLANID                26      integer
ATTRIBUTE       MIKROTIK_WIRELESS_VLANIDTYPE            27      integer

my vlans are on the datapath bridges of the SSID

/interface bridge add name=WIRELESS
/caps-man datapath add name=WIRELESS-PATH bridge=WIRELESS vlan-mode=use-tag
/interface vlan add interface=WIRELESS vlan-id=23 use-service-tag=no
/interface vlan add interface=WIRELESS vlan-id=37 use-service-tag=no

Well, my user is authenticated on RADIUS and gets access to the WLAN, i see the right VLANID in the freeradius output, but mymikrotik is always using VLANID=1

So? how can i fix it?

i also tried instead of
MIKROTIK_WIRELESS_VLANID
MIKROTIK-WIRELESS-VLANID
Mikrotik-Wireless-VLANID
Mikrotik_Wireless_VLANID

which one is the right one?

Does anyone have a hint for me? Where are u… CAPSMAN VLAN Experts (normally finding @ eudroam Areas)

According to https://wiki.mikrotik.com/wiki/Manual:RADIUS_Client/vendor_dictionary

ATTRIBUTE Mikrotik_Wireless_VLANID 26 integer
ATTRIBUTE Mikrotik_Wireless_VLANIDtype 27 integer

Are the correct attributes.

Can you post a radtest?

hi pukkita,
hi everyone other

thanks for informations, i’ve changed the values on the dictionary, sql database and post-proxy file


huber@maier.de
it is the same like… john@doe.com it’s my testuser

my testuser is in the filter group (well radius tells proper VLANID)

filter group settings on sql DB @ radgroupreply

+----+------------+-------------------------------+----+-------+
| id | groupname  | attribute                     | op | value |
+----+------------+-------------------------------+----+-------+
|  1 | filter     | Mikrotik_Wireless_VLANID      | := | 0x14  |
|  2 | filter     | Mikrotik_Wireless_VLANIDtype  | := | 0x0   |
+----+------------+-------------------------------+----+-------+

freeradius -X output

(287) Received Access-Request Id 180 from 198.51.100.34:1814 to 198.51.100.35:1812 length 203
(287)   Service-Type = Framed-User
(287)   Framed-MTU = 1400
(287)   User-Name = "huber@maier.de"
(287)   NAS-Port-Id = "CAP-6C3B6B7695E3-1-1"
(287)   NAS-Port-Type = Wireless-802.11
(287)   Acct-Session-Id = "8210066c"
(287)   Calling-Station-Id = "A0-88-B4-D7-58-A4"
(287)   Called-Station-Id = "6e-3b-6b-76-95-e9:WIRELESS"
(287)   EAP-Message = 0x02010013016875626572406d616965722e6465
(287)   Message-Authenticator = 0xd20d50b03a226a33428f53bce169f985
(287)   NAS-Identifier = "CAPsMAN"
(287)   NAS-IP-Address = 198.51.100.33
(287)   Proxy-State = 0x323430
(287) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(287)   authorize {
(287)     policy filter_username {
(287)       if (&User-Name) {
(287)       if (&User-Name)  -> TRUE
(287)       if (&User-Name)  {
(287)         if (&User-Name =~ / /) {
(287)         if (&User-Name =~ / /)  -> FALSE
(287)         if (&User-Name =~ /@[^@]*@/ ) {
(287)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(287)         if (&User-Name =~ /\.\./ ) {
(287)         if (&User-Name =~ /\.\./ )  -> FALSE
(287)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(287)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(287)         if (&User-Name =~ /\.$/)  {
(287)         if (&User-Name =~ /\.$/)   -> FALSE
(287)         if (&User-Name =~ /@\./)  {
(287)         if (&User-Name =~ /@\./)   -> FALSE
(287)       } # if (&User-Name)  = notfound
(287)     } # policy filter_username = notfound
(287)     [preprocess] = ok
(287)     [chap] = noop
(287)     [mschap] = noop
(287)     [digest] = noop
(287) suffix: Checking for suffix after "@"
(287) suffix: Looking up realm "maier.de" for User-Name = "huber@maier.de"
(287) suffix: No such realm "maier.de"
(287)     [suffix] = noop
(287) eap: Peer sent EAP Response (code 2) ID 1 length 19
(287) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(287)     [eap] = ok
(287)   } # authorize = ok
(287) Found Auth-Type = eap
(287) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(287)   authenticate {
(287) eap: Peer sent packet with method EAP Identity (1)
(287) eap: Calling submodule eap_peap to process data
(287) eap_peap: Initiating new EAP-TLS session
(287) eap_peap: [eaptls start] = request
(287) eap: Sending EAP Request (code 1) ID 2 length 6
(287) eap: EAP session adding &reply:State = 0xc1bb6d52c1b974cd
(287)     [eap] = handled
(287)   } # authenticate = handled
(287) Using Post-Auth-Type Challenge
(287) Post-Auth-Type sub-section not found.  Ignoring.
(287) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(287) Sent Access-Challenge Id 180 from 198.51.100.35:1812 to 198.51.100.34:1814 length 0
(287)   EAP-Message = 0x010200061920
(287)   Message-Authenticator = 0x00000000000000000000000000000000
(287)   State = 0xc1bb6d52c1b974cd71f70b1b63d2de6d
(287)   Proxy-State = 0x323430
(287) Finished request
Waking up in 4.9 seconds.
(288) Received Access-Request Id 55 from 198.51.100.34:1814 to 198.51.100.35:1812 length 315
(288)   Service-Type = Framed-User
(288)   Framed-MTU = 1400
(288)   User-Name = "huber@maier.de"
(288)   State = 0xc1bb6d52c1b974cd71f70b1b63d2de6d
(288)   NAS-Port-Id = "CAP-6C3B6B7695E3-1-1"
(288)   NAS-Port-Type = Wireless-802.11
(288)   Acct-Session-Id = "8210066c"
(288)   Calling-Station-Id = "A0-88-B4-D7-58-A4"
(288)   Called-Station-Id = "6e-3b-6b-76-95-e9:WIRELESS"
(288)   EAP-Message = 0x0202007119800000006716030100620100005e030158c4b5d9c5b21146e2f5a37450b85f73a5d347667ddaf99d6fe35c88cb6bc0a200001cc014c013003900330035002fc00ac00900380032000a00130005000401000019000a0006000400170018000b0002010000170000ff01000100
(288)   Message-Authenticator = 0x936e50e37e45e65c4800819cc8a74f5d
(288)   NAS-Identifier = "CAPsMAN"
(288)   NAS-IP-Address = 198.51.100.33
(288)   Proxy-State = 0x323431
(288) session-state: No cached attributes
(288) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(288)   authorize {
(288)     policy filter_username {
(288)       if (&User-Name) {
(288)       if (&User-Name)  -> TRUE
(288)       if (&User-Name)  {
(288)         if (&User-Name =~ / /) {
(288)         if (&User-Name =~ / /)  -> FALSE
(288)         if (&User-Name =~ /@[^@]*@/ ) {
(288)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(288)         if (&User-Name =~ /\.\./ ) {
(288)         if (&User-Name =~ /\.\./ )  -> FALSE
(288)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(288)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(288)         if (&User-Name =~ /\.$/)  {
(288)         if (&User-Name =~ /\.$/)   -> FALSE
(288)         if (&User-Name =~ /@\./)  {
(288)         if (&User-Name =~ /@\./)   -> FALSE
(288)       } # if (&User-Name)  = notfound
(288)     } # policy filter_username = notfound
(288)     [preprocess] = ok
(288)     [chap] = noop
(288)     [mschap] = noop
(288)     [digest] = noop
(288) suffix: Checking for suffix after "@"
(288) suffix: Looking up realm "maier.de" for User-Name = "huber@maier.de"
(288) suffix: No such realm "maier.de"
(288)     [suffix] = noop
(288) eap: Peer sent EAP Response (code 2) ID 2 length 113
(288) eap: Continuing tunnel setup
(288)     [eap] = ok
(288)   } # authorize = ok
(288) Found Auth-Type = eap
(288) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(288)   authenticate {
(288) eap: Expiring EAP session with state 0xc1bb6d52c1b974cd
(288) eap: Finished EAP session with state 0xc1bb6d52c1b974cd
(288) eap: Previous EAP request found for state 0xc1bb6d52c1b974cd, released from the list
(288) eap: Peer sent packet with method EAP PEAP (25)
(288) eap: Calling submodule eap_peap to process data
(288) eap_peap: Continuing EAP-TLS
(288) eap_peap: Peer indicated complete TLS record size will be 103 bytes
(288) eap_peap: Got complete TLS record (103 bytes)
(288) eap_peap: [eaptls verify] = length included
(288) eap_peap: (other): before SSL initialization
(288) eap_peap: TLS_accept: before SSL initialization
(288) eap_peap: TLS_accept: before SSL initialization
(288) eap_peap: <<< recv TLS 1.2  [length 0062]
(288) eap_peap: TLS_accept: SSLv3/TLS read client hello
(288) eap_peap: >>> send TLS 1.0 Handshake [length 005d], ServerHello
(288) eap_peap: TLS_accept: SSLv3/TLS write server hello
(288) eap_peap: >>> send TLS 1.0 Handshake [length 0c00], Certificate
(288) eap_peap: TLS_accept: SSLv3/TLS write certificate
(288) eap_peap: >>> send TLS 1.0 Handshake [length 014b], ServerKeyExchange
(288) eap_peap: TLS_accept: SSLv3/TLS write key exchange
(288) eap_peap: >>> send TLS 1.0 Handshake [length 0004], ServerHelloDone
(288) eap_peap: TLS_accept: SSLv3/TLS write server done
(288) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done
(288) eap_peap: In SSL Handshake Phase
(288) eap_peap: In SSL Accept mode
(288) eap_peap: [eaptls process] = handled
(288) eap: Sending EAP Request (code 1) ID 3 length 1004
(288) eap: EAP session adding &reply:State = 0xc1bb6d52c0b874cd
(288)     [eap] = handled
(288)   } # authenticate = handled
(288) Using Post-Auth-Type Challenge
(288) Post-Auth-Type sub-section not found.  Ignoring.
(288) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(288) Sent Access-Challenge Id 55 from 198.51.100.35:1812 to 198.51.100.34:1814 length 0
(288)   EAP-Message = 0x010303ec19c000000dc0160301005d02000059030105ce231e2ab32150a342f7a6e9015024385fd97b68c2cc5083888678317d798f2038af41516247bd0f9e27b3e091fcc6da1696efd86eb8944f7694a973b9f2afa8c014000011ff01000100000b000403000102001700001603010c000b000bfc000b
(288)   Message-Authenticator = 0x00000000000000000000000000000000
(288)   State = 0xc1bb6d52c0b874cd71f70b1b63d2de6d
(288)   Proxy-State = 0x323431
(288) Finished request
Waking up in 4.8 seconds.
(289) Received Access-Request Id 240 from 198.51.100.34:1814 to 198.51.100.35:1812 length 208
(289)   Service-Type = Framed-User
(289)   Framed-MTU = 1400
(289)   User-Name = "huber@maier.de"
(289)   State = 0xc1bb6d52c0b874cd71f70b1b63d2de6d
(289)   NAS-Port-Id = "CAP-6C3B6B7695E3-1-1"
(289)   NAS-Port-Type = Wireless-802.11
(289)   Acct-Session-Id = "8210066c"
(289)   Calling-Station-Id = "A0-88-B4-D7-58-A4"
(289)   Called-Station-Id = "6e-3b-6b-76-95-e9:WIRELESS"
(289)   EAP-Message = 0x020300061900
(289)   Message-Authenticator = 0xed5c185f1da6c8b200ebfae8ef9de1ca
(289)   NAS-Identifier = "CAPsMAN"
(289)   NAS-IP-Address = 198.51.100.33
(289)   Proxy-State = 0x323432
(289) session-state: No cached attributes
(289) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(289)   authorize {
(289)     policy filter_username {
(289)       if (&User-Name) {
(289)       if (&User-Name)  -> TRUE
(289)       if (&User-Name)  {
(289)         if (&User-Name =~ / /) {
(289)         if (&User-Name =~ / /)  -> FALSE
(289)         if (&User-Name =~ /@[^@]*@/ ) {
(289)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(289)         if (&User-Name =~ /\.\./ ) {
(289)         if (&User-Name =~ /\.\./ )  -> FALSE
(289)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(289)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(289)         if (&User-Name =~ /\.$/)  {
(289)         if (&User-Name =~ /\.$/)   -> FALSE
(289)         if (&User-Name =~ /@\./)  {
(289)         if (&User-Name =~ /@\./)   -> FALSE
(289)       } # if (&User-Name)  = notfound
(289)     } # policy filter_username = notfound
(289)     [preprocess] = ok
(289)     [chap] = noop
(289)     [mschap] = noop
(289)     [digest] = noop
(289) suffix: Checking for suffix after "@"
(289) suffix: Looking up realm "maier.de" for User-Name = "huber@maier.de"
(289) suffix: No such realm "maier.de"
(289)     [suffix] = noop
(289) eap: Peer sent EAP Response (code 2) ID 3 length 6
(289) eap: Continuing tunnel setup
(289)     [eap] = ok
(289)   } # authorize = ok
(289) Found Auth-Type = eap
(289) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(289)   authenticate {
(289) eap: Expiring EAP session with state 0xc1bb6d52c0b874cd
(289) eap: Finished EAP session with state 0xc1bb6d52c0b874cd
(289) eap: Previous EAP request found for state 0xc1bb6d52c0b874cd, released from the list
(289) eap: Peer sent packet with method EAP PEAP (25)
(289) eap: Calling submodule eap_peap to process data
(289) eap_peap: Continuing EAP-TLS
(289) eap_peap: Peer ACKed our handshake fragment
(289) eap_peap: [eaptls verify] = request
(289) eap_peap: [eaptls process] = handled
(289) eap: Sending EAP Request (code 1) ID 4 length 1000
(289) eap: EAP session adding &reply:State = 0xc1bb6d52c3bf74cd
(289)     [eap] = handled
(289)   } # authenticate = handled
(289) Using Post-Auth-Type Challenge
(289) Post-Auth-Type sub-section not found.  Ignoring.
(289) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(289) Sent Access-Challenge Id 240 from 198.51.100.35:1812 to 198.51.100.34:1814 length 0
(289)   EAP-Message = 0x010403e8194074696e672e646530230603551d12041c301a8618687474703a2f2f7777772e737461727473736c2e636f6d2f30510603551d20044a30483008060667810c010201303c060b2b0601040181b537010205302d302b06082b06010505070201161f68747470733a2f2f7777772e7374617274
(289)   Message-Authenticator = 0x00000000000000000000000000000000
(289)   State = 0xc1bb6d52c3bf74cd71f70b1b63d2de6d
(289)   Proxy-State = 0x323432
(289) Finished request
Waking up in 4.7 seconds.
(290) Received Access-Request Id 39 from 198.51.100.34:1814 to 198.51.100.35:1812 length 208
(290)   Service-Type = Framed-User
(290)   Framed-MTU = 1400
(290)   User-Name = "huber@maier.de"
(290)   State = 0xc1bb6d52c3bf74cd71f70b1b63d2de6d
(290)   NAS-Port-Id = "CAP-6C3B6B7695E3-1-1"
(290)   NAS-Port-Type = Wireless-802.11
(290)   Acct-Session-Id = "8210066c"
(290)   Calling-Station-Id = "A0-88-B4-D7-58-A4"
(290)   Called-Station-Id = "6e-3b-6b-76-95-e9:WIRELESS"
(290)   EAP-Message = 0x020400061900
(290)   Message-Authenticator = 0xf574554d83dbb84380ba97bfc058812b
(290)   NAS-Identifier = "CAPsMAN"
(290)   NAS-IP-Address = 198.51.100.33
(290)   Proxy-State = 0x323433
(290) session-state: No cached attributes
(290) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(290)   authorize {
(290)     policy filter_username {
(290)       if (&User-Name) {
(290)       if (&User-Name)  -> TRUE
(290)       if (&User-Name)  {
(290)         if (&User-Name =~ / /) {
(290)         if (&User-Name =~ / /)  -> FALSE
(290)         if (&User-Name =~ /@[^@]*@/ ) {
(290)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(290)         if (&User-Name =~ /\.\./ ) {
(290)         if (&User-Name =~ /\.\./ )  -> FALSE
(290)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(290)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(290)         if (&User-Name =~ /\.$/)  {
(290)         if (&User-Name =~ /\.$/)   -> FALSE
(290)         if (&User-Name =~ /@\./)  {
(290)         if (&User-Name =~ /@\./)   -> FALSE
(290)       } # if (&User-Name)  = notfound
(290)     } # policy filter_username = notfound
(290)     [preprocess] = ok
(290)     [chap] = noop
(290)     [mschap] = noop
(290)     [digest] = noop
(290) suffix: Checking for suffix after "@"
(290) suffix: Looking up realm "maier.de" for User-Name = "huber@maier.de"
(290) suffix: No such realm "maier.de"
(290)     [suffix] = noop
(290) eap: Peer sent EAP Response (code 2) ID 4 length 6
(290) eap: Continuing tunnel setup
(290)     [eap] = ok
(290)   } # authorize = ok
(290) Found Auth-Type = eap
(290) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(290)   authenticate {
(290) eap: Expiring EAP session with state 0xc1bb6d52c3bf74cd
(290) eap: Finished EAP session with state 0xc1bb6d52c3bf74cd
(290) eap: Previous EAP request found for state 0xc1bb6d52c3bf74cd, released from the list
(290) eap: Peer sent packet with method EAP PEAP (25)
(290) eap: Calling submodule eap_peap to process data
(290) eap_peap: Continuing EAP-TLS
(290) eap_peap: Peer ACKed our handshake fragment
(290) eap_peap: [eaptls verify] = request
(290) eap_peap: [eaptls process] = handled
(290) eap: Sending EAP Request (code 1) ID 5 length 1000
(290) eap: EAP session adding &reply:State = 0xc1bb6d52c2be74cd
(290)     [eap] = handled
(290)   } # authenticate = handled
(290) Using Post-Auth-Type Challenge
(290) Post-Auth-Type sub-section not found.  Ignoring.
(290) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(290) Sent Access-Challenge Id 39 from 198.51.100.35:1812 to 198.51.100.34:1814 length 0
(290)   EAP-Message = 0x010503e819404130820122300d06092a864886f70d01010105000382010f003082010a0282010100daecf4aa88678bb04b626696bfc94468e6c22b4ca033ceac79e376c3d156e075af41b40a4580efcb8de416e326143e111e41e7d4c93bb228d7909fc5f0d1fee538db8a7b3bb4520265777e41ed8e0c
(290)   Message-Authenticator = 0x00000000000000000000000000000000
(290)   State = 0xc1bb6d52c2be74cd71f70b1b63d2de6d
(290)   Proxy-State = 0x323433
(290) Finished request
Waking up in 4.5 seconds.
(291) Received Access-Request Id 162 from 198.51.100.34:1814 to 198.51.100.35:1812 length 208
(291)   Service-Type = Framed-User
(291)   Framed-MTU = 1400
(291)   User-Name = "huber@maier.de"
(291)   State = 0xc1bb6d52c2be74cd71f70b1b63d2de6d
(291)   NAS-Port-Id = "CAP-6C3B6B7695E3-1-1"
(291)   NAS-Port-Type = Wireless-802.11
(291)   Acct-Session-Id = "8210066c"
(291)   Calling-Station-Id = "A0-88-B4-D7-58-A4"
(291)   Called-Station-Id = "6e-3b-6b-76-95-e9:WIRELESS"
(291)   EAP-Message = 0x020500061900
(291)   Message-Authenticator = 0x8681d80a1eeba631a59716bab8a0aae2
(291)   NAS-Identifier = "CAPsMAN"
(291)   NAS-IP-Address = 198.51.100.33
(291)   Proxy-State = 0x323434
(291) session-state: No cached attributes
(291) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(291)   authorize {
(291)     policy filter_username {
(291)       if (&User-Name) {
(291)       if (&User-Name)  -> TRUE
(291)       if (&User-Name)  {
(291)         if (&User-Name =~ / /) {
(291)         if (&User-Name =~ / /)  -> FALSE
(291)         if (&User-Name =~ /@[^@]*@/ ) {
(291)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(291)         if (&User-Name =~ /\.\./ ) {
(291)         if (&User-Name =~ /\.\./ )  -> FALSE
(291)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(291)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(291)         if (&User-Name =~ /\.$/)  {
(291)         if (&User-Name =~ /\.$/)   -> FALSE
(291)         if (&User-Name =~ /@\./)  {
(291)         if (&User-Name =~ /@\./)   -> FALSE
(291)       } # if (&User-Name)  = notfound
(291)     } # policy filter_username = notfound
(291)     [preprocess] = ok
(291)     [chap] = noop
(291)     [mschap] = noop
(291)     [digest] = noop
(291) suffix: Checking for suffix after "@"
(291) suffix: Looking up realm "maier.de" for User-Name = "huber@maier.de"
(291) suffix: No such realm "maier.de"
(291)     [suffix] = noop
(291) eap: Peer sent EAP Response (code 2) ID 5 length 6
(291) eap: Continuing tunnel setup
(291)     [eap] = ok
(291)   } # authorize = ok
(291) Found Auth-Type = eap
(291) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(291)   authenticate {
(291) eap: Expiring EAP session with state 0xc1bb6d52c2be74cd
(291) eap: Finished EAP session with state 0xc1bb6d52c2be74cd
(291) eap: Previous EAP request found for state 0xc1bb6d52c2be74cd, released from the list
(291) eap: Peer sent packet with method EAP PEAP (25)
(291) eap: Calling submodule eap_peap to process data
(291) eap_peap: Continuing EAP-TLS
(291) eap_peap: Peer ACKed our handshake fragment
(291) eap_peap: [eaptls verify] = request
(291) eap_peap: [eaptls process] = handled
(291) eap: Sending EAP Request (code 1) ID 6 length 544
(291) eap: EAP session adding &reply:State = 0xc1bb6d52c5bd74cd
(291)     [eap] = handled
(291)   } # authenticate = handled
(291) Using Post-Auth-Type Challenge
(291) Post-Auth-Type sub-section not found.  Ignoring.
(291) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(291) Sent Access-Challenge Id 162 from 198.51.100.35:1812 to 198.51.100.34:1814 length 0
(291)   EAP-Message = 0x010602201900d4148a8f1519b5dec1a89df1d65bc3da36deed62aaceeb196ed3e1160ac30ec81dc36ef342890d60165969ad4bc1864666075d88070b718922946a1b036c0b2a4e9e633e959dab43748e1a431e859075af294d1eeecfdc5329ba3f1def5eb0b8cfac28033b42f7c5daa2b3ced2990bef73
(291)   Message-Authenticator = 0x00000000000000000000000000000000
(291)   State = 0xc1bb6d52c5bd74cd71f70b1b63d2de6d
(291)   Proxy-State = 0x323434
(291) Finished request
Waking up in 4.4 seconds.
(292) Received Access-Request Id 127 from 198.51.100.34:1814 to 198.51.100.35:1812 length 346
(292)   Service-Type = Framed-User
(292)   Framed-MTU = 1400
(292)   User-Name = "huber@maier.de"
(292)   State = 0xc1bb6d52c5bd74cd71f70b1b63d2de6d
(292)   NAS-Port-Id = "CAP-6C3B6B7695E3-1-1"
(292)   NAS-Port-Type = Wireless-802.11
(292)   Acct-Session-Id = "8210066c"
(292)   Calling-Station-Id = "A0-88-B4-D7-58-A4"
(292)   Called-Station-Id = "6e-3b-6b-76-95-e9:WIRELESS"
(292)   EAP-Message = 0x02060090198000000086160301004610000042410430e6273200b886f6ec078425238bddb09e5a05f24d5263d64286d15149e61f564a200a05561851b376c88b25289660ea8059f875b9fcdd648d759de86a49d00f140301000101160301003008112980457c2cafde104639f365e45fe165092deeb415
(292)   Message-Authenticator = 0x4a20c696e15944ab24dbb23d375a237a
(292)   NAS-Identifier = "CAPsMAN"
(292)   NAS-IP-Address = 198.51.100.33
(292)   Proxy-State = 0x323435
(292) session-state: No cached attributes
(292) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(292)   authorize {
(292)     policy filter_username {
(292)       if (&User-Name) {
(292)       if (&User-Name)  -> TRUE
(292)       if (&User-Name)  {
(292)         if (&User-Name =~ / /) {
(292)         if (&User-Name =~ / /)  -> FALSE
(292)         if (&User-Name =~ /@[^@]*@/ ) {
(292)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(292)         if (&User-Name =~ /\.\./ ) {
(292)         if (&User-Name =~ /\.\./ )  -> FALSE
(292)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(292)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(292)         if (&User-Name =~ /\.$/)  {
(292)         if (&User-Name =~ /\.$/)   -> FALSE
(292)         if (&User-Name =~ /@\./)  {
(292)         if (&User-Name =~ /@\./)   -> FALSE
(292)       } # if (&User-Name)  = notfound
(292)     } # policy filter_username = notfound
(292)     [preprocess] = ok
(292)     [chap] = noop
(292)     [mschap] = noop
(292)     [digest] = noop
(292) suffix: Checking for suffix after "@"
(292) suffix: Looking up realm "maier.de" for User-Name = "huber@maier.de"
(292) suffix: No such realm "maier.de"
(292)     [suffix] = noop
(292) eap: Peer sent EAP Response (code 2) ID 6 length 144
(292) eap: Continuing tunnel setup
(292)     [eap] = ok
(292)   } # authorize = ok
(292) Found Auth-Type = eap
(292) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(292)   authenticate {
(292) eap: Expiring EAP session with state 0xc1bb6d52c5bd74cd
(292) eap: Finished EAP session with state 0xc1bb6d52c5bd74cd
(292) eap: Previous EAP request found for state 0xc1bb6d52c5bd74cd, released from the list
(292) eap: Peer sent packet with method EAP PEAP (25)
(292) eap: Calling submodule eap_peap to process data
(292) eap_peap: Continuing EAP-TLS
(292) eap_peap: Peer indicated complete TLS record size will be 134 bytes
(292) eap_peap: Got complete TLS record (134 bytes)
(292) eap_peap: [eaptls verify] = length included
(292) eap_peap: TLS_accept: SSLv3/TLS write server done
(292) eap_peap: <<< recv TLS 1.0 Handshake [length 0046], ClientKeyExchange
(292) eap_peap: TLS_accept: SSLv3/TLS read client key exchange
(292) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec
(292) eap_peap: <<< recv TLS 1.0 Handshake [length 0010], Finished
(292) eap_peap: TLS_accept: SSLv3/TLS read finished
(292) eap_peap: >>> send TLS 1.0 ChangeCipherSpec [length 0001]
(292) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec
(292) eap_peap: >>> send TLS 1.0 Handshake [length 0010], Finished
(292) eap_peap: TLS_accept: SSLv3/TLS write finished
(292) eap_peap: (other): SSL negotiation finished successfully
(292) eap_peap: SSL Connection Established
(292) eap_peap: [eaptls process] = handled
(292) eap: Sending EAP Request (code 1) ID 7 length 65
(292) eap: EAP session adding &reply:State = 0xc1bb6d52c4bc74cd
(292)     [eap] = handled
(292)   } # authenticate = handled
(292) Using Post-Auth-Type Challenge
(292) Post-Auth-Type sub-section not found.  Ignoring.
(292) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(292) Sent Access-Challenge Id 127 from 198.51.100.35:1812 to 198.51.100.34:1814 length 0
(292)   EAP-Message = 0x0107004119001403010001011603010030ab13238f6949f5a033f0abfdf72c16d7ed93183a0b3fd0cde3f0aa7a2ccbc06920741721c65b97f6b6ae85c2389e4a29
(292)   Message-Authenticator = 0x00000000000000000000000000000000
(292)   State = 0xc1bb6d52c4bc74cd71f70b1b63d2de6d
(292)   Proxy-State = 0x323435
(292) Finished request
Waking up in 4.3 seconds.
(293) Received Access-Request Id 206 from 198.51.100.34:1814 to 198.51.100.35:1812 length 208
(293)   Service-Type = Framed-User
(293)   Framed-MTU = 1400
(293)   User-Name = "huber@maier.de"
(293)   State = 0xc1bb6d52c4bc74cd71f70b1b63d2de6d
(293)   NAS-Port-Id = "CAP-6C3B6B7695E3-1-1"
(293)   NAS-Port-Type = Wireless-802.11
(293)   Acct-Session-Id = "8210066c"
(293)   Calling-Station-Id = "A0-88-B4-D7-58-A4"
(293)   Called-Station-Id = "6e-3b-6b-76-95-e9:WIRELESS"
(293)   EAP-Message = 0x020700061900
(293)   Message-Authenticator = 0x4faa23bb37356e95a4b56db3510077e5
(293)   NAS-Identifier = "CAPsMAN"
(293)   NAS-IP-Address = 198.51.100.33
(293)   Proxy-State = 0x323436
(293) session-state: No cached attributes
(293) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(293)   authorize {
(293)     policy filter_username {
(293)       if (&User-Name) {
(293)       if (&User-Name)  -> TRUE
(293)       if (&User-Name)  {
(293)         if (&User-Name =~ / /) {
(293)         if (&User-Name =~ / /)  -> FALSE
(293)         if (&User-Name =~ /@[^@]*@/ ) {
(293)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(293)         if (&User-Name =~ /\.\./ ) {
(293)         if (&User-Name =~ /\.\./ )  -> FALSE
(293)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(293)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(293)         if (&User-Name =~ /\.$/)  {
(293)         if (&User-Name =~ /\.$/)   -> FALSE
(293)         if (&User-Name =~ /@\./)  {
(293)         if (&User-Name =~ /@\./)   -> FALSE
(293)       } # if (&User-Name)  = notfound
(293)     } # policy filter_username = notfound
(293)     [preprocess] = ok
(293)     [chap] = noop
(293)     [mschap] = noop
(293)     [digest] = noop
(293) suffix: Checking for suffix after "@"
(293) suffix: Looking up realm "maier.de" for User-Name = "huber@maier.de"
(293) suffix: No such realm "maier.de"
(293)     [suffix] = noop
(293) eap: Peer sent EAP Response (code 2) ID 7 length 6
(293) eap: Continuing tunnel setup
(293)     [eap] = ok
(293)   } # authorize = ok
(293) Found Auth-Type = eap
(293) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(293)   authenticate {
(293) eap: Expiring EAP session with state 0xc1bb6d52c4bc74cd
(293) eap: Finished EAP session with state 0xc1bb6d52c4bc74cd
(293) eap: Previous EAP request found for state 0xc1bb6d52c4bc74cd, released from the list
(293) eap: Peer sent packet with method EAP PEAP (25)
(293) eap: Calling submodule eap_peap to process data
(293) eap_peap: Continuing EAP-TLS
(293) eap_peap: Peer ACKed our handshake fragment.  handshake is finished
(293) eap_peap: [eaptls verify] = success
(293) eap_peap: [eaptls process] = success
(293) eap_peap: Session established.  Decoding tunneled attributes
(293) eap_peap: PEAP state TUNNEL ESTABLISHED
(293) eap: Sending EAP Request (code 1) ID 8 length 43
(293) eap: EAP session adding &reply:State = 0xc1bb6d52c7b374cd
(293)     [eap] = handled
(293)   } # authenticate = handled
(293) Using Post-Auth-Type Challenge
(293) Post-Auth-Type sub-section not found.  Ignoring.
(293) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(293) Sent Access-Challenge Id 206 from 198.51.100.35:1812 to 198.51.100.34:1814 length 0
(293)   EAP-Message = 0x0108002b19001703010020de01b1062ff6496a0b2abd347516233c95eb1da09fbaa8ebee7480220fbeaea3
(293)   Message-Authenticator = 0x00000000000000000000000000000000
(293)   State = 0xc1bb6d52c7b374cd71f70b1b63d2de6d
(293)   Proxy-State = 0x323436
(293) Finished request
Waking up in 4.1 seconds.
(292) Cleaning up request packet ID 127 with timestamp +647
(294) Received Access-Request Id 127 from 198.51.100.34:1814 to 198.51.100.35:1812 length 261
(294)   Service-Type = Framed-User
(294)   Framed-MTU = 1400
(294)   User-Name = "huber@maier.de"
(294)   State = 0xc1bb6d52c7b374cd71f70b1b63d2de6d
(294)   NAS-Port-Id = "CAP-6C3B6B7695E3-1-1"
(294)   NAS-Port-Type = Wireless-802.11
(294)   Acct-Session-Id = "8210066c"
(294)   Calling-Station-Id = "A0-88-B4-D7-58-A4"
(294)   Called-Station-Id = "6e-3b-6b-76-95-e9:WIRELESS"
(294)   EAP-Message = 0x0208003b190017030100300a794debdc99066c0fc331caeaf6999c8f089500097012607d9358bdfad6ee436988be48e83f2f3c6489f842595a7d18
(294)   Message-Authenticator = 0x00edc01ad856c31f0aa9a603a4bf492f
(294)   NAS-Identifier = "CAPsMAN"
(294)   NAS-IP-Address = 198.51.100.33
(294)   Proxy-State = 0x323437
(294) session-state: No cached attributes
(294) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(294)   authorize {
(294)     policy filter_username {
(294)       if (&User-Name) {
(294)       if (&User-Name)  -> TRUE
(294)       if (&User-Name)  {
(294)         if (&User-Name =~ / /) {
(294)         if (&User-Name =~ / /)  -> FALSE
(294)         if (&User-Name =~ /@[^@]*@/ ) {
(294)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(294)         if (&User-Name =~ /\.\./ ) {
(294)         if (&User-Name =~ /\.\./ )  -> FALSE
(294)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(294)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(294)         if (&User-Name =~ /\.$/)  {
(294)         if (&User-Name =~ /\.$/)   -> FALSE
(294)         if (&User-Name =~ /@\./)  {
(294)         if (&User-Name =~ /@\./)   -> FALSE
(294)       } # if (&User-Name)  = notfound
(294)     } # policy filter_username = notfound
(294)     [preprocess] = ok
(294)     [chap] = noop
(294)     [mschap] = noop
(294)     [digest] = noop
(294) suffix: Checking for suffix after "@"
(294) suffix: Looking up realm "maier.de" for User-Name = "huber@maier.de"
(294) suffix: No such realm "maier.de"
(294)     [suffix] = noop
(294) eap: Peer sent EAP Response (code 2) ID 8 length 59
(294) eap: Continuing tunnel setup
(294)     [eap] = ok
(294)   } # authorize = ok
(294) Found Auth-Type = eap
(294) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(294)   authenticate {
(294) eap: Expiring EAP session with state 0xc1bb6d52c7b374cd
(294) eap: Finished EAP session with state 0xc1bb6d52c7b374cd
(294) eap: Previous EAP request found for state 0xc1bb6d52c7b374cd, released from the list
(294) eap: Peer sent packet with method EAP PEAP (25)
(294) eap: Calling submodule eap_peap to process data
(294) eap_peap: Continuing EAP-TLS
(294) eap_peap: [eaptls verify] = ok
(294) eap_peap: Done initial handshake
(294) eap_peap: [eaptls process] = ok
(294) eap_peap: Session established.  Decoding tunneled attributes
(294) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(294) eap_peap: Identity - huber@maier.de
(294) eap_peap: Got inner identity 'huber@maier.de'
(294) eap_peap: Setting default EAP type for tunneled EAP session
(294) eap_peap: Got tunneled request
(294) eap_peap:   EAP-Message = 0x02080013016875626572406d616965722e6465
(294) eap_peap: Setting User-Name to huber@maier.de
(294) eap_peap: Sending tunneled request to inner-tunnel
(294) eap_peap:   EAP-Message = 0x02080013016875626572406d616965722e6465
(294) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(294) eap_peap:   User-Name = "huber@maier.de"
(294) Virtual server inner-tunnel received request
(294)   EAP-Message = 0x02080013016875626572406d616965722e6465
(294)   FreeRADIUS-Proxied-To = 127.0.0.1
(294)   User-Name = "huber@maier.de"
(294) WARNING: Outer and inner identities are the same.  User privacy is compromised.
(294) server inner-tunnel {
(294)   # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(294)     authorize {
(294)       policy filter_username {
(294)         if (&User-Name) {
(294)         if (&User-Name)  -> TRUE
(294)         if (&User-Name)  {
(294)           if (&User-Name =~ / /) {
(294)           if (&User-Name =~ / /)  -> FALSE
(294)           if (&User-Name =~ /@[^@]*@/ ) {
(294)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(294)           if (&User-Name =~ /\.\./ ) {
(294)           if (&User-Name =~ /\.\./ )  -> FALSE
(294)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(294)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(294)           if (&User-Name =~ /\.$/)  {
(294)           if (&User-Name =~ /\.$/)   -> FALSE
(294)           if (&User-Name =~ /@\./)  {
(294)           if (&User-Name =~ /@\./)   -> FALSE
(294)         } # if (&User-Name)  = notfound
(294)       } # policy filter_username = notfound
(294)       [chap] = noop
(294)       [mschap] = noop
(294) suffix: Checking for suffix after "@"
(294) suffix: Looking up realm "maier.de" for User-Name = "huber@maier.de"
(294) suffix: No such realm "maier.de"
(294)       [suffix] = noop
(294)       update control {
(294)         &Proxy-To-Realm := LOCAL
(294)       } # update control = noop
(294) eap: Peer sent EAP Response (code 2) ID 8 length 19
(294) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(294)       [eap] = ok
(294)     } # authorize = ok
(294)   Found Auth-Type = eap
(294)   # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(294)     authenticate {
(294) eap: Peer sent packet with method EAP Identity (1)
(294) eap: Calling submodule eap_mschapv2 to process data
(294) eap_mschapv2: Issuing Challenge
(294) eap: Sending EAP Request (code 1) ID 9 length 43
(294) eap: EAP session adding &reply:State = 0xdfebe385dfe2f9cb
(294)       [eap] = handled
(294)     } # authenticate = handled
(294) } # server inner-tunnel
(294) Virtual server sending reply
(294)   EAP-Message = 0x0109002b1a01090026107d565e8e034bbd59952a4be50cada1bb667265657261646975732d332e302e3132
(294)   Message-Authenticator = 0x00000000000000000000000000000000
(294)   State = 0xdfebe385dfe2f9cb7f14999fa817c850
(294) eap_peap: Got tunneled reply code 11
(294) eap_peap:   EAP-Message = 0x0109002b1a01090026107d565e8e034bbd59952a4be50cada1bb667265657261646975732d332e302e3132
(294) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(294) eap_peap:   State = 0xdfebe385dfe2f9cb7f14999fa817c850
(294) eap_peap: Got tunneled reply RADIUS code 11
(294) eap_peap:   EAP-Message = 0x0109002b1a01090026107d565e8e034bbd59952a4be50cada1bb667265657261646975732d332e302e3132
(294) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(294) eap_peap:   State = 0xdfebe385dfe2f9cb7f14999fa817c850
(294) eap_peap: Got tunneled Access-Challenge
(294) eap: Sending EAP Request (code 1) ID 9 length 75
(294) eap: EAP session adding &reply:State = 0xc1bb6d52c6b274cd
(294)     [eap] = handled
(294)   } # authenticate = handled
(294) Using Post-Auth-Type Challenge
(294) Post-Auth-Type sub-section not found.  Ignoring.
(294) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(294) Sent Access-Challenge Id 127 from 198.51.100.35:1812 to 198.51.100.34:1814 length 0
(294)   EAP-Message = 0x0109004b19001703010040b821a243d000f9af78e277fafe6614826076c423043af72fdee82dc61f23ffcefb4cc297faa1c045adad54f58e0b0244221158db8408ce7c0d1f5f22ea0b977c
(294)   Message-Authenticator = 0x00000000000000000000000000000000
(294)   State = 0xc1bb6d52c6b274cd71f70b1b63d2de6d
(294)   Proxy-State = 0x323437
(294) Finished request
Waking up in 4.0 seconds.
(295) Received Access-Request Id 139 from 198.51.100.34:1814 to 198.51.100.35:1812 length 309
(295)   Service-Type = Framed-User
(295)   Framed-MTU = 1400
(295)   User-Name = "huber@maier.de"
(295)   State = 0xc1bb6d52c6b274cd71f70b1b63d2de6d
(295)   NAS-Port-Id = "CAP-6C3B6B7695E3-1-1"
(295)   NAS-Port-Type = Wireless-802.11
(295)   Acct-Session-Id = "8210066c"
(295)   Calling-Station-Id = "A0-88-B4-D7-58-A4"
(295)   Called-Station-Id = "6e-3b-6b-76-95-e9:WIRELESS"
(295)   EAP-Message = 0x0209006b190017030100606ae42580bb106d1207ea2ca18b4a47de3dda25a8b47f2623031a820569ac6b81843839da0b4d39df58f34818e59ac92969c2845b2930c047f9449df5fda29433423bad09b2dda17e5bbc88aad62fd6c42de59264aac0985d527e6568936d3895
(295)   Message-Authenticator = 0xcd9252c36820fdc05fde92956d5d7bd8
(295)   NAS-Identifier = "CAPsMAN"
(295)   NAS-IP-Address = 198.51.100.33
(295)   Proxy-State = 0x323438
(295) session-state: No cached attributes
(295) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(295)   authorize {
(295)     policy filter_username {
(295)       if (&User-Name) {
(295)       if (&User-Name)  -> TRUE
(295)       if (&User-Name)  {
(295)         if (&User-Name =~ / /) {
(295)         if (&User-Name =~ / /)  -> FALSE
(295)         if (&User-Name =~ /@[^@]*@/ ) {
(295)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(295)         if (&User-Name =~ /\.\./ ) {
(295)         if (&User-Name =~ /\.\./ )  -> FALSE
(295)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(295)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(295)         if (&User-Name =~ /\.$/)  {
(295)         if (&User-Name =~ /\.$/)   -> FALSE
(295)         if (&User-Name =~ /@\./)  {
(295)         if (&User-Name =~ /@\./)   -> FALSE
(295)       } # if (&User-Name)  = notfound
(295)     } # policy filter_username = notfound
(295)     [preprocess] = ok
(295)     [chap] = noop
(295)     [mschap] = noop
(295)     [digest] = noop
(295) suffix: Checking for suffix after "@"
(295) suffix: Looking up realm "maier.de" for User-Name = "huber@maier.de"
(295) suffix: No such realm "maier.de"
(295)     [suffix] = noop
(295) eap: Peer sent EAP Response (code 2) ID 9 length 107
(295) eap: Continuing tunnel setup
(295)     [eap] = ok
(295)   } # authorize = ok
(295) Found Auth-Type = eap
(295) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(295)   authenticate {
(295) eap: Expiring EAP session with state 0xdfebe385dfe2f9cb
(295) eap: Finished EAP session with state 0xc1bb6d52c6b274cd
(295) eap: Previous EAP request found for state 0xc1bb6d52c6b274cd, released from the list
(295) eap: Peer sent packet with method EAP PEAP (25)
(295) eap: Calling submodule eap_peap to process data
(295) eap_peap: Continuing EAP-TLS
(295) eap_peap: [eaptls verify] = ok
(295) eap_peap: Done initial handshake
(295) eap_peap: [eaptls process] = ok
(295) eap_peap: Session established.  Decoding tunneled attributes
(295) eap_peap: PEAP state phase2
(295) eap_peap: EAP method MSCHAPv2 (26)
(295) eap_peap: Got tunneled request
(295) eap_peap:   EAP-Message = 0x020900491a02090044314315e3109c1d299eeb2cb26ea554ef8a00000000000000006a481b57c4b44aa87900dee5fd6edd6278e861f0c69b6ddb006875626572406d616965722e6465
(295) eap_peap: Setting User-Name to huber@maier.de
(295) eap_peap: Sending tunneled request to inner-tunnel
(295) eap_peap:   EAP-Message = 0x020900491a02090044314315e3109c1d299eeb2cb26ea554ef8a00000000000000006a481b57c4b44aa87900dee5fd6edd6278e861f0c69b6ddb006875626572406d616965722e6465
(295) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(295) eap_peap:   User-Name = "huber@maier.de"
(295) eap_peap:   State = 0xdfebe385dfe2f9cb7f14999fa817c850
(295) Virtual server inner-tunnel received request
(295)   EAP-Message = 0x020900491a02090044314315e3109c1d299eeb2cb26ea554ef8a00000000000000006a481b57c4b44aa87900dee5fd6edd6278e861f0c69b6ddb006875626572406d616965722e6465
(295)   FreeRADIUS-Proxied-To = 127.0.0.1
(295)   User-Name = "huber@maier.de"
(295)   State = 0xdfebe385dfe2f9cb7f14999fa817c850
(295) WARNING: Outer and inner identities are the same.  User privacy is compromised.
(295) server inner-tunnel {
(295)   session-state: No cached attributes
(295)   # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(295)     authorize {
(295)       policy filter_username {
(295)         if (&User-Name) {
(295)         if (&User-Name)  -> TRUE
(295)         if (&User-Name)  {
(295)           if (&User-Name =~ / /) {
(295)           if (&User-Name =~ / /)  -> FALSE
(295)           if (&User-Name =~ /@[^@]*@/ ) {
(295)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(295)           if (&User-Name =~ /\.\./ ) {
(295)           if (&User-Name =~ /\.\./ )  -> FALSE
(295)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(295)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(295)           if (&User-Name =~ /\.$/)  {
(295)           if (&User-Name =~ /\.$/)   -> FALSE
(295)           if (&User-Name =~ /@\./)  {
(295)           if (&User-Name =~ /@\./)   -> FALSE
(295)         } # if (&User-Name)  = notfound
(295)       } # policy filter_username = notfound
(295)       [chap] = noop
(295)       [mschap] = noop
(295) suffix: Checking for suffix after "@"
(295) suffix: Looking up realm "maier.de" for User-Name = "huber@maier.de"
(295) suffix: No such realm "maier.de"
(295)       [suffix] = noop
(295)       update control {
(295)         &Proxy-To-Realm := LOCAL
(295)       } # update control = noop
(295) eap: Peer sent EAP Response (code 2) ID 9 length 73
(295) eap: No EAP Start, assuming it's an on-going EAP conversation
(295)       [eap] = updated
(295)       [files] = noop
(295) sql: EXPAND %{User-Name}
(295) sql:    --> huber@maier.de
(295) sql: SQL-User-Name set to 'huber@maier.de'
rlm_sql (sql): Closing connection (12): Hit idle_timeout, was idle for 225 seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (11): Hit idle_timeout, was idle for 225 seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (10): Hit idle_timeout, was idle for 225 seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): 0 of 0 connections in use.  You  may need to increase "spare"
rlm_sql (sql): Opening additional connection (13), 1 of 32 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'WIRELESS-DB' on 198.51.100.34 via TCP/IP, server version 5.5.54-0+deb8u1, protocol version 10
rlm_sql (sql): Reserved connection (13)
(295) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(295) sql:    --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'huber@maier.de' ORDER BY id
(295) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'huber@maier.de' ORDER BY id
(295) sql: User found in radcheck table
(295) sql: Conditional check items matched, merging assignment check items
(295) sql:   Cleartext-Password := "test123"
(295) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(295) sql:    --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'huber@maier.de' ORDER BY id
(295) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'huber@maier.de' ORDER BY id
(295) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(295) sql:    --> SELECT groupname FROM radusergroup WHERE username = 'huber@maier.de' ORDER BY priority
(295) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'huber@maier.de' ORDER BY priority
(295) sql: User found in the group table
(295) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id
(295) sql:    --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'filter' ORDER BY id
(295) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'filter' ORDER BY id
(295) sql: Group "filter": Conditional check items matched
(295) sql: Group "filter": Merging assignment check items
(295) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id
(295) sql:    --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'filter' ORDER BY id
(295) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'filter' ORDER BY id
(295) sql: Group "filter": Merging reply items
(295) sql:   Mikrotik_Wireless_VLANID := 20
(295) sql:   Mikrotik_Wireless_VLANIDtype := 0
rlm_sql (sql): Released connection (13)
rlm_sql (sql): Need 2 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (14), 1 of 31 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'WIRELESS-DB' on 198.51.100.34 via TCP/IP, server version 5.5.54-0+deb8u1, protocol version 10
(295)       [sql] = ok
(295)       [expiration] = noop
(295)       [logintime] = noop
(295) pap: WARNING: Auth-Type already set.  Not setting to PAP
(295)       [pap] = noop
(295)     } # authorize = updated
(295)   Found Auth-Type = eap
(295)   # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(295)     authenticate {
(295) eap: Expiring EAP session with state 0xdfebe385dfe2f9cb
(295) eap: Finished EAP session with state 0xdfebe385dfe2f9cb
(295) eap: Previous EAP request found for state 0xdfebe385dfe2f9cb, released from the list
(295) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(295) eap: Calling submodule eap_mschapv2 to process data
(295) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(295) eap_mschapv2:   authenticate {
(295) mschap: Found Cleartext-Password, hashing to create NT-Password
(295) mschap: Found Cleartext-Password, hashing to create LM-Password
(295) mschap: Creating challenge hash with username: huber@maier.de
(295) mschap: Client is using MS-CHAPv2
(295) mschap: Adding MS-CHAPv2 MPPE keys
(295)     [mschap] = ok
(295)   } # authenticate = ok
(295) MSCHAP Success
(295) eap: Sending EAP Request (code 1) ID 10 length 51
(295) eap: EAP session adding &reply:State = 0xdfebe385dee1f9cb
(295)       [eap] = handled
(295)     } # authenticate = handled
(295) } # server inner-tunnel
(295) Virtual server sending reply
(295)   Mikrotik_Wireless_VLANID = 20
(295)   Mikrotik_Wireless_VLANIDtype = 0
(295)   EAP-Message = 0x010a00331a0309002e533d46343132363939343733433832373135323241414339393243303845363835304239463230463138
(295)   Message-Authenticator = 0x00000000000000000000000000000000
(295)   State = 0xdfebe385dee1f9cb7f14999fa817c850
(295) eap_peap: Got tunneled reply code 11
(295) eap_peap:   Mikrotik_Wireless_VLANID = 20
(295) eap_peap:   Mikrotik_Wireless_VLANIDtype = 0
(295) eap_peap:   EAP-Message = 0x010a00331a0309002e533d46343132363939343733433832373135323241414339393243303845363835304239463230463138
(295) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(295) eap_peap:   State = 0xdfebe385dee1f9cb7f14999fa817c850
(295) eap_peap: Got tunneled reply RADIUS code 11
(295) eap_peap:   Mikrotik_Wireless_VLANID = 20
(295) eap_peap:   Mikrotik_Wireless_VLANIDtype = 0
(295) eap_peap:   EAP-Message = 0x010a00331a0309002e533d46343132363939343733433832373135323241414339393243303845363835304239463230463138
(295) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(295) eap_peap:   State = 0xdfebe385dee1f9cb7f14999fa817c850
(295) eap_peap: Got tunneled Access-Challenge
(295) eap: Sending EAP Request (code 1) ID 10 length 91
(295) eap: EAP session adding &reply:State = 0xc1bb6d52c9b174cd
(295)     [eap] = handled
(295)   } # authenticate = handled
(295) Using Post-Auth-Type Challenge
(295) Post-Auth-Type sub-section not found.  Ignoring.
(295) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(295) Sent Access-Challenge Id 139 from 198.51.100.35:1812 to 198.51.100.34:1814 length 0
(295)   EAP-Message = 0x010a005b1900170301005041bd8fac563a205f6c6c3511a79107e75a4b55fca1ffda4420bd15d26abcc1d1b44a207667c1c3674e9b6e0a678b9016a55701f40f4581278312e0365400e56f46593eb609fe69694300d5728bf0ad9b
(295)   Message-Authenticator = 0x00000000000000000000000000000000
(295)   State = 0xc1bb6d52c9b174cd71f70b1b63d2de6d
(295)   Proxy-State = 0x323438
(295) Finished request
Waking up in 3.8 seconds.
(296) Received Access-Request Id 24 from 198.51.100.34:1814 to 198.51.100.35:1812 length 245
(296)   Service-Type = Framed-User
(296)   Framed-MTU = 1400
(296)   User-Name = "huber@maier.de"
(296)   State = 0xc1bb6d52c9b174cd71f70b1b63d2de6d
(296)   NAS-Port-Id = "CAP-6C3B6B7695E3-1-1"
(296)   NAS-Port-Type = Wireless-802.11
(296)   Acct-Session-Id = "8210066c"
(296)   Calling-Station-Id = "A0-88-B4-D7-58-A4"
(296)   Called-Station-Id = "6e-3b-6b-76-95-e9:WIRELESS"
(296)   EAP-Message = 0x020a002b19001703010020b020e7d4045a294752e394084ae591e79404fa60cbfed40fe1070d2a88dec862
(296)   Message-Authenticator = 0x017e093c706b654367ef9536c3fce23a
(296)   NAS-Identifier = "CAPsMAN"
(296)   NAS-IP-Address = 198.51.100.33
(296)   Proxy-State = 0x323439
(296) session-state: No cached attributes
(296) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(296)   authorize {
(296)     policy filter_username {
(296)       if (&User-Name) {
(296)       if (&User-Name)  -> TRUE
(296)       if (&User-Name)  {
(296)         if (&User-Name =~ / /) {
(296)         if (&User-Name =~ / /)  -> FALSE
(296)         if (&User-Name =~ /@[^@]*@/ ) {
(296)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(296)         if (&User-Name =~ /\.\./ ) {
(296)         if (&User-Name =~ /\.\./ )  -> FALSE
(296)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(296)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(296)         if (&User-Name =~ /\.$/)  {
(296)         if (&User-Name =~ /\.$/)   -> FALSE
(296)         if (&User-Name =~ /@\./)  {
(296)         if (&User-Name =~ /@\./)   -> FALSE
(296)       } # if (&User-Name)  = notfound
(296)     } # policy filter_username = notfound
(296)     [preprocess] = ok
(296)     [chap] = noop
(296)     [mschap] = noop
(296)     [digest] = noop
(296) suffix: Checking for suffix after "@"
(296) suffix: Looking up realm "maier.de" for User-Name = "huber@maier.de"
(296) suffix: No such realm "maier.de"
(296)     [suffix] = noop
(296) eap: Peer sent EAP Response (code 2) ID 10 length 43
(296) eap: Continuing tunnel setup
(296)     [eap] = ok
(296)   } # authorize = ok
(296) Found Auth-Type = eap
(296) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(296)   authenticate {
(296) eap: Expiring EAP session with state 0xdfebe385dee1f9cb
(296) eap: Finished EAP session with state 0xc1bb6d52c9b174cd
(296) eap: Previous EAP request found for state 0xc1bb6d52c9b174cd, released from the list
(296) eap: Peer sent packet with method EAP PEAP (25)
(296) eap: Calling submodule eap_peap to process data
(296) eap_peap: Continuing EAP-TLS
(296) eap_peap: [eaptls verify] = ok
(296) eap_peap: Done initial handshake
(296) eap_peap: [eaptls process] = ok
(296) eap_peap: Session established.  Decoding tunneled attributes
(296) eap_peap: PEAP state phase2
(296) eap_peap: EAP method MSCHAPv2 (26)
(296) eap_peap: Got tunneled request
(296) eap_peap:   EAP-Message = 0x020a00061a03
(296) eap_peap: Setting User-Name to huber@maier.de
(296) eap_peap: Sending tunneled request to inner-tunnel
(296) eap_peap:   EAP-Message = 0x020a00061a03
(296) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(296) eap_peap:   User-Name = "huber@maier.de"
(296) eap_peap:   State = 0xdfebe385dee1f9cb7f14999fa817c850
(296) Virtual server inner-tunnel received request
(296)   EAP-Message = 0x020a00061a03
(296)   FreeRADIUS-Proxied-To = 127.0.0.1
(296)   User-Name = "huber@maier.de"
(296)   State = 0xdfebe385dee1f9cb7f14999fa817c850
(296) WARNING: Outer and inner identities are the same.  User privacy is compromised.
(296) server inner-tunnel {
(296)   session-state: No cached attributes
(296)   # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(296)     authorize {
(296)       policy filter_username {
(296)         if (&User-Name) {
(296)         if (&User-Name)  -> TRUE
(296)         if (&User-Name)  {
(296)           if (&User-Name =~ / /) {
(296)           if (&User-Name =~ / /)  -> FALSE
(296)           if (&User-Name =~ /@[^@]*@/ ) {
(296)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(296)           if (&User-Name =~ /\.\./ ) {
(296)           if (&User-Name =~ /\.\./ )  -> FALSE
(296)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(296)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(296)           if (&User-Name =~ /\.$/)  {
(296)           if (&User-Name =~ /\.$/)   -> FALSE
(296)           if (&User-Name =~ /@\./)  {
(296)           if (&User-Name =~ /@\./)   -> FALSE
(296)         } # if (&User-Name)  = notfound
(296)       } # policy filter_username = notfound
(296)       [chap] = noop
(296)       [mschap] = noop
(296) suffix: Checking for suffix after "@"
(296) suffix: Looking up realm "maier.de" for User-Name = "huber@maier.de"
(296) suffix: No such realm "maier.de"
(296)       [suffix] = noop
(296)       update control {
(296)         &Proxy-To-Realm := LOCAL
(296)       } # update control = noop
(296) eap: Peer sent EAP Response (code 2) ID 10 length 6
(296) eap: No EAP Start, assuming it's an on-going EAP conversation
(296)       [eap] = updated
(296)       [files] = noop
(296) sql: EXPAND %{User-Name}
(296) sql:    --> huber@maier.de
(296) sql: SQL-User-Name set to 'huber@maier.de'
rlm_sql (sql): Reserved connection (13)
(296) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(296) sql:    --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'huber@maier.de' ORDER BY id
(296) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'huber@maier.de' ORDER BY id
(296) sql: User found in radcheck table
(296) sql: Conditional check items matched, merging assignment check items
(296) sql:   Cleartext-Password := "test123"
(296) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(296) sql:    --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'huber@maier.de' ORDER BY id
(296) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'huber@maier.de' ORDER BY id
(296) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(296) sql:    --> SELECT groupname FROM radusergroup WHERE username = 'huber@maier.de' ORDER BY priority
(296) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'huber@maier.de' ORDER BY priority
(296) sql: User found in the group table
(296) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id
(296) sql:    --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'filter' ORDER BY id
(296) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'filter' ORDER BY id
(296) sql: Group "filter": Conditional check items matched
(296) sql: Group "filter": Merging assignment check items
(296) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id
(296) sql:    --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'filter' ORDER BY id
(296) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'filter' ORDER BY id
(296) sql: Group "filter": Merging reply items
(296) sql:   Mikrotik_Wireless_VLANID := 20
(296) sql:   Mikrotik_Wireless_VLANIDtype := 0
rlm_sql (sql): Released connection (13)
rlm_sql (sql): Need 1 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (15), 1 of 30 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'WIRELESS-DB' on 198.51.100.34 via TCP/IP, server version 5.5.54-0+deb8u1, protocol version 10
(296)       [sql] = ok
(296)       [expiration] = noop
(296)       [logintime] = noop
(296) pap: WARNING: Auth-Type already set.  Not setting to PAP
(296)       [pap] = noop
(296)     } # authorize = updated
(296)   Found Auth-Type = eap
(296)   # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(296)     authenticate {
(296) eap: Expiring EAP session with state 0xdfebe385dee1f9cb
(296) eap: Finished EAP session with state 0xdfebe385dee1f9cb
(296) eap: Previous EAP request found for state 0xdfebe385dee1f9cb, released from the list
(296) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(296) eap: Calling submodule eap_mschapv2 to process data
(296) eap: Sending EAP Success (code 3) ID 10 length 4
(296) eap: Freeing handler
(296)       [eap] = ok
(296)     } # authenticate = ok
(296)   # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(296)     post-auth {
(296) sql: EXPAND .query
(296) sql:    --> .query
(296) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (14)
(296) sql: EXPAND %{User-Name}
(296) sql:    --> huber@maier.de
(296) sql: SQL-User-Name set to 'huber@maier.de'
(296) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(296) sql:    --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'huber@maier.de', '', 'Access-Accept', '2017-03-12 02:43:33')
(296) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'huber@maier.de', '', 'Access-Accept', '2017-03-12 02:43:33')
(296) sql: SQL query returned: success
(296) sql: 1 record(s) updated
rlm_sql (sql): Released connection (14)
(296)       [sql] = ok
(296)     } # post-auth = ok
(296) } # server inner-tunnel
(296) Virtual server sending reply
(296)   Mikrotik_Wireless_VLANID = 20
(296)   Mikrotik_Wireless_VLANIDtype = 0
(296)   MS-MPPE-Encryption-Policy = Encryption-Required
(296)   MS-MPPE-Encryption-Types = 4
(296)   MS-MPPE-Send-Key = 0xb46dbc7a67f65c9c64e2822b272ae323
(296)   MS-MPPE-Recv-Key = 0x22fdb78706b3671347326a57467ed1c8
(296)   EAP-Message = 0x030a0004
(296)   Message-Authenticator = 0x00000000000000000000000000000000
(296)   User-Name = "huber@maier.de"
(296) eap_peap: Got tunneled reply code 2
(296) eap_peap:   Mikrotik_Wireless_VLANID = 20
(296) eap_peap:   Mikrotik_Wireless_VLANIDtype = 0
(296) eap_peap:   MS-MPPE-Encryption-Policy = Encryption-Required
(296) eap_peap:   MS-MPPE-Encryption-Types = 4
(296) eap_peap:   MS-MPPE-Send-Key = 0xb46dbc7a67f65c9c64e2822b272ae323
(296) eap_peap:   MS-MPPE-Recv-Key = 0x22fdb78706b3671347326a57467ed1c8
(296) eap_peap:   EAP-Message = 0x030a0004
(296) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(296) eap_peap:   User-Name = "huber@maier.de"
(296) eap_peap: Got tunneled reply RADIUS code 2
(296) eap_peap:   Mikrotik_Wireless_VLANID = 20
(296) eap_peap:   Mikrotik_Wireless_VLANIDtype = 0
(296) eap_peap:   MS-MPPE-Encryption-Policy = Encryption-Required
(296) eap_peap:   MS-MPPE-Encryption-Types = 4
(296) eap_peap:   MS-MPPE-Send-Key = 0xb46dbc7a67f65c9c64e2822b272ae323
(296) eap_peap:   MS-MPPE-Recv-Key = 0x22fdb78706b3671347326a57467ed1c8
(296) eap_peap:   EAP-Message = 0x030a0004
(296) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(296) eap_peap:   User-Name = "huber@maier.de"
(296) eap_peap: Tunneled authentication was successful
(296) eap_peap: SUCCESS
(296) eap: Sending EAP Request (code 1) ID 11 length 43
(296) eap: EAP session adding &reply:State = 0xc1bb6d52c8b074cd
(296)     [eap] = handled
(296)   } # authenticate = handled
(296) Using Post-Auth-Type Challenge
(296) Post-Auth-Type sub-section not found.  Ignoring.
(296) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(296) Sent Access-Challenge Id 24 from 198.51.100.35:1812 to 198.51.100.34:1814 length 0
(296)   EAP-Message = 0x010b002b190017030100200b748b0dde6486bda29a6968c2b6be0da9452c69aed819e0999c6ba0296b38ec
(296)   Message-Authenticator = 0x00000000000000000000000000000000
(296)   State = 0xc1bb6d52c8b074cd71f70b1b63d2de6d
(296)   Proxy-State = 0x323439
(296) Finished request
Waking up in 3.6 seconds.
(297) Received Access-Request Id 33 from 198.51.100.34:1814 to 198.51.100.35:1812 length 245
(297)   Service-Type = Framed-User
(297)   Framed-MTU = 1400
(297)   User-Name = "huber@maier.de"
(297)   State = 0xc1bb6d52c8b074cd71f70b1b63d2de6d
(297)   NAS-Port-Id = "CAP-6C3B6B7695E3-1-1"
(297)   NAS-Port-Type = Wireless-802.11
(297)   Acct-Session-Id = "8210066c"
(297)   Calling-Station-Id = "A0-88-B4-D7-58-A4"
(297)   Called-Station-Id = "6e-3b-6b-76-95-e9:WIRELESS"
(297)   EAP-Message = 0x020b002b19001703010020ac6a7c9674b779295b536433c77b125c40b8b554b41e3fd187c8080acb970712
(297)   Message-Authenticator = 0x21e49cf582314e954828d6b4ccde1255
(297)   NAS-Identifier = "CAPsMAN"
(297)   NAS-IP-Address = 198.51.100.33
(297)   Proxy-State = 0x323530
(297) session-state: No cached attributes
(297) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(297)   authorize {
(297)     policy filter_username {
(297)       if (&User-Name) {
(297)       if (&User-Name)  -> TRUE
(297)       if (&User-Name)  {
(297)         if (&User-Name =~ / /) {
(297)         if (&User-Name =~ / /)  -> FALSE
(297)         if (&User-Name =~ /@[^@]*@/ ) {
(297)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(297)         if (&User-Name =~ /\.\./ ) {
(297)         if (&User-Name =~ /\.\./ )  -> FALSE
(297)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(297)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(297)         if (&User-Name =~ /\.$/)  {
(297)         if (&User-Name =~ /\.$/)   -> FALSE
(297)         if (&User-Name =~ /@\./)  {
(297)         if (&User-Name =~ /@\./)   -> FALSE
(297)       } # if (&User-Name)  = notfound
(297)     } # policy filter_username = notfound
(297)     [preprocess] = ok
(297)     [chap] = noop
(297)     [mschap] = noop
(297)     [digest] = noop
(297) suffix: Checking for suffix after "@"
(297) suffix: Looking up realm "maier.de" for User-Name = "huber@maier.de"
(297) suffix: No such realm "maier.de"
(297)     [suffix] = noop
(297) eap: Peer sent EAP Response (code 2) ID 11 length 43
(297) eap: Continuing tunnel setup
(297)     [eap] = ok
(297)   } # authorize = ok
(297) Found Auth-Type = eap
(297) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(297)   authenticate {
(297) eap: Expiring EAP session with state 0xc1bb6d52c8b074cd
(297) eap: Finished EAP session with state 0xc1bb6d52c8b074cd
(297) eap: Previous EAP request found for state 0xc1bb6d52c8b074cd, released from the list
(297) eap: Peer sent packet with method EAP PEAP (25)
(297) eap: Calling submodule eap_peap to process data
(297) eap_peap: Continuing EAP-TLS
(297) eap_peap: [eaptls verify] = ok
(297) eap_peap: Done initial handshake
(297) eap_peap: [eaptls process] = ok
(297) eap_peap: Session established.  Decoding tunneled attributes
(297) eap_peap: PEAP state send tlv success
(297) eap_peap: Received EAP-TLV response
(297) eap_peap: Success
(297) eap_peap: No information to cache: session caching will be disabled for session 38af41516247bd0f9e27b3e091fcc6da1696efd86eb8944f7694a973b9f2afa8
(297) eap: Sending EAP Success (code 3) ID 11 length 4
(297) eap: Freeing handler
(297)     [eap] = ok
(297)   } # authenticate = ok
(297) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default
(297)   post-auth {
(297)     update {
(297)       No attributes updated
(297)     } # update = noop
(297) sql: EXPAND .query
(297) sql:    --> .query
(297) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (13)
(297) sql: EXPAND %{User-Name}
(297) sql:    --> huber@maier.de
(297) sql: SQL-User-Name set to 'huber@maier.de'
(297) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(297) sql:    --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'huber@maier.de', '', 'Access-Accept', '2017-03-12 02:43:33')
(297) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'huber@maier.de', '', 'Access-Accept', '2017-03-12 02:43:33')
(297) sql: SQL query returned: success
(297) sql: 1 record(s) updated
rlm_sql (sql): Released connection (13)
(297)     [sql] = ok
(297)     [exec] = noop
(297)     policy remove_reply_message_if_eap {
(297)       if (&reply:EAP-Message && &reply:Reply-Message) {
(297)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(297)       else {
(297)         [noop] = noop
(297)       } # else = noop
(297)     } # policy remove_reply_message_if_eap = noop
(297)   } # post-auth = ok
(297) Sent Access-Accept Id 33 from 198.51.100.35:1812 to 198.51.100.34:1814 length 0
(297)   MS-MPPE-Recv-Key = 0x4f29d1dc9930f329a1dd162b84f2be654b059679ba5d860dae483e0f08c2765d
(297)   MS-MPPE-Send-Key = 0x6d0f47900588793cf17c1e80b1942a528363bf004d4e8cc4863bb3fbc68149b2
(297)   EAP-Message = 0x030b0004
(297)   Message-Authenticator = 0x00000000000000000000000000000000
(297)   User-Name = "huber@maier.de"
(297)   Proxy-State = 0x323530
(297) Finished request
Waking up in 3.5 seconds.

MT Log output

03:43:29 radius,debug,packet sending Access-Request with id 240 to 198.51.100.34:1812 
03:43:29 radius,debug,packet     Signature = 0xe34ebd531d25863a352a4b41b4536a63 
03:43:29 radius,debug,packet     Service-Type = 2 
03:43:29 radius,debug,packet     Framed-MTU = 1400 
03:43:29 radius,debug,packet     User-Name = "huber@maier.de" 
03:43:29 radius,debug,packet     NAS-Port-Id = "CAP-6C3B6B7695E3-1-1" 
03:43:29 radius,debug,packet     NAS-Port-Type = 19 
03:43:29 radius,debug,packet     Acct-Session-Id = "8210066c" 
03:43:29 radius,debug,packet     Calling-Station-Id = "A0-88-B4-D7-58-A4" 
03:43:29 radius,debug,packet     Called-Station-Id = "6E-3B-6B-76-95-E9:WIRELESS" 
03:43:29 radius,debug,packet     EAP-Message = 0x02010013016875626572406d61696572 
03:43:29 radius,debug,packet       2e6465 
03:43:29 radius,debug,packet     Message-Authenticator = 0x814749b3dbc5024cdec13641cbf90759 
03:43:29 radius,debug,packet     NAS-Identifier = "CAPsMAN" 
03:43:29 radius,debug,packet     NAS-IP-Address = 198.51.100.33 
03:43:29 radius,debug,packet received Access-Challenge with id 240 from 198.51.100.34:1812 
03:43:29 radius,debug,packet     Signature = 0xb993496a3b9b7a4fece3cd4b1ae08545 
03:43:29 radius,debug,packet     EAP-Message = 0x010200061920 
03:43:29 radius,debug,packet     Message-Authenticator = 0x6cb1ddfbede3df413c5ecfade2aadfa8 
03:43:29 radius,debug,packet     State = 0xc1bb6d52c1b974cd71f70b1b63d2de6d 
03:43:29 radius,debug,packet sending Access-Request with id 241 to 198.51.100.34:1812 
03:43:29 radius,debug,packet     Signature = 0x0f863f4392dc12a38cb61e495c62a8b7 
03:43:29 radius,debug,packet     Service-Type = 2 
03:43:29 radius,debug,packet     Framed-MTU = 1400 
03:43:29 radius,debug,packet     User-Name = "huber@maier.de" 
03:43:29 radius,debug,packet     State = 0xc1bb6d52c1b974cd71f70b1b63d2de6d 
03:43:29 radius,debug,packet     NAS-Port-Id = "CAP-6C3B6B7695E3-1-1" 
03:43:29 radius,debug,packet     NAS-Port-Type = 19 
03:43:29 radius,debug,packet     Acct-Session-Id = "8210066c" 
03:43:29 radius,debug,packet     Calling-Station-Id = "A0-88-B4-D7-58-A4" 
03:43:29 radius,debug,packet     Called-Station-Id = "6E-3B-6B-76-95-E9:WIRELESS" 
03:43:29 radius,debug,packet     EAP-Message = 0x02020071198000000067160301006201 
03:43:29 radius,debug,packet       00005e030158c4b5d9c5b21146e2f5a3 
03:43:29 radius,debug,packet       7450b85f73a5d347667ddaf99d6fe35c 
03:43:29 radius,debug,packet       88cb6bc0a200001cc014c01300390033 
03:43:29 radius,debug,packet       0035002fc00ac00900380032000a0013 
03:43:29 radius,debug,packet       0005000401000019000a000600040017 
03:43:29 radius,debug,packet       0018000b0002010000170000ff010001 
03:43:29 radius,debug,packet       00 
03:43:29 radius,debug,packet     Message-Authenticator = 0x5d0d2635ebe10c9f3d0e7d2a863d1fc0 
03:43:29 radius,debug,packet     NAS-Identifier = "CAPsMAN" 
03:43:29 radius,debug,packet     NAS-IP-Address = 198.51.100.33 
03:43:29 radius,debug,packet received Access-Challenge with id 241 from 198.51.100.34:1812 
03:43:29 radius,debug,packet     Signature = 0x29e839b708538a82c26f2ff29f79c2e5 
03:43:29 radius,debug,packet     EAP-Message = 0x010303ec19c000000dc0160301005d02 
03:43:29 radius,debug,packet       000059030105ce231e2ab32150a342f7 
03:43:29 radius,debug,packet       a6e9015024385fd97b68c2cc50838886 
03:43:29 radius,debug,packet       78317d798f2038af41516247bd0f9e27 
03:43:29 radius,debug,packet       b3e091fcc6da1696efd86eb8944f7694 
03:43:29 radius,debug,packet       a973b9f2afa8c014000011ff01000100 
03:43:29 radius,debug,packet       000b000403000102001700001603010c 
03:43:29 radius,debug,packet       000b000bfc000bf900060a3082060630 
03:43:29 radius,debug,packet       8204eea003020102021048e3fb41169a 
03:43:29 radius,debug,packet       f201c0e110080cf92468300d06092a86 
03:43:29 radius,debug,packet       4886f70d01010b05003078310b300906 
03:43:29 radius,debug,packet       035504061302494c3116301406035504 
03:43:29 radius,debug,packet       0a130d5374617274436f6d204c74642e 
03:43:29 radius,debug,packet       31293027060355040b13205374617274 
03:43:29 radius,debug,packet       436f6d2043657274696669636174696f 
03:43:29 radius,debug,packet       6e20417574686f726974793126 
03:43:29 radius,debug,packet     EAP-Message = 0x30240603550403131d5374617274436f 
03:43:29 radius,debug,packet       6d20436c617373203120445620536572 
03:43:29 radius,debug,packet       766572204341301e170d313630383135 
03:43:29 radius,debug,packet       3039333233305a170d31373038313530 
03:43:29 radius,debug,packet       39333233305a3033310b300906035504 
03:43:29 radius,debug,packet       06130244453124302206035504030c1b 
03:43:29 radius,debug,packet       7261646975732e706661727265692d72 
03:43:29 radius,debug,packet       7564657274696e672e64653082012230 
03:43:29 radius,debug,packet       0d06092a864886f70d01010105000382 
03:43:29 radius,debug,packet       010f003082010a0282010100d8892724 
03:43:29 radius,debug,packet       877a09f642af4a9729415279ad905c2b 
03:43:29 radius,debug,packet       760a2bfcab2d69f363013a66a2d2d5ef 
03:43:29 radius,debug,packet       6296ca3625c5487d470209e4676660bd 
03:43:29 radius,debug,packet       5a2b3166e1de7899b694343ff47e20d7 
03:43:29 radius,debug,packet       c1f95d51c87aba08adb82a0052d650c1 
03:43:29 radius,debug,packet       1f9dbae92cf3cc832d10da9f1c 
03:43:29 radius,debug,packet     EAP-Message = 0x707ef5c76a71c706ea2164479cc937c9 
03:43:29 radius,debug,packet       a8abfd11c8c5070ce714e31caeafceaf 
03:43:29 radius,debug,packet       70469c9685bcbeacdfd66a0dfb04c251 
03:43:29 radius,debug,packet       2b0c301803344ab7dd15c8ebb5175f58 
03:43:29 radius,debug,packet       5592d4020a7996eb9d32e875a8bf5383 
03:43:29 radius,debug,packet       1b3670bb56979e6066ab5f23ae6ab0e2 
03:43:29 radius,debug,packet       542ac8c64db3227db9db4e9e5500b4d7 
03:43:29 radius,debug,packet       9fd36da34c5021d35a4ed027fc0f7439 
03:43:29 radius,debug,packet       47e457a1851b54f6c9994510df8983f4 
03:43:29 radius,debug,packet       a4eb1caa781f9877cd6718903560a902 
03:43:29 radius,debug,packet       03010001a38202cf308202cb300e0603 
03:43:29 radius,debug,packet       551d0f0101ff0404030205a0301d0603 
03:43:29 radius,debug,packet       551d250416301406082b060105050703 
03:43:29 radius,debug,packet       0206082b060105050703013009060355 
03:43:29 radius,debug,packet       1d1304023000301d0603551d0e041604 
03:43:29 radius,debug,packet       14de56c55516583d7e3c243664 
03:43:29 radius,debug,packet     EAP-Message = 0x38175586ad44f656301f0603551d2304 
03:43:29 radius,debug,packet       1830168014d7914e01c4b0bff8c86793 
03:43:29 radius,debug,packet       449ce733faad930caf306f06082b0601 
03:43:29 radius,debug,packet       050507010104633061302406082b0601 
03:43:29 radius,debug,packet       05050730018618687474703a2f2f6f63 
03:43:29 radius,debug,packet       73702e737461727473736c2e636f6d30 
03:43:29 radius,debug,packet       3906082b06010505073002862d687474 
03:43:29 radius,debug,packet       703a2f2f6169612e737461727473736c 
03:43:29 radius,debug,packet       2e636f6d2f63657274732f7363612e73 
03:43:29 radius,debug,packet       6572766572312e63727430380603551d 
03:43:29 radius,debug,packet       1f0431302f302da02ba0298627687474 
03:43:29 radius,debug,packet       703a2f2f63726c2e737461727473736c 
03:43:29 radius,debug,packet       2e636f6d2f7363612d73657276657231 
03:43:29 radius,debug,packet       2e63726c30260603551d11041f301d82 
03:43:29 radius,debug,packet       1b7261646975732e706661727265692d 
03:43:29 radius,debug,packet       7275646572 
03:43:29 radius,debug,packet     Message-Authenticator = 0x2c75a9a3114432bb331544a554b47f2e 
03:43:29 radius,debug,packet     State = 0xc1bb6d52c0b874cd71f70b1b63d2de6d 
03:43:29 radius,debug,packet sending Access-Request with id 242 to 198.51.100.34:1812 
03:43:29 radius,debug,packet     Signature = 0x0874fa5daee3b764dbe9deb54ca26aec 
03:43:29 radius,debug,packet     Service-Type = 2 
03:43:29 radius,debug,packet     Framed-MTU = 1400 
03:43:29 radius,debug,packet     User-Name = "huber@maier.de" 
03:43:29 radius,debug,packet     State = 0xc1bb6d52c0b874cd71f70b1b63d2de6d 
03:43:29 radius,debug,packet     NAS-Port-Id = "CAP-6C3B6B7695E3-1-1" 
03:43:29 radius,debug,packet     NAS-Port-Type = 19 
03:43:29 radius,debug,packet     Acct-Session-Id = "8210066c" 
03:43:29 radius,debug,packet     Calling-Station-Id = "A0-88-B4-D7-58-A4" 
03:43:29 radius,debug,packet     Called-Station-Id = "6E-3B-6B-76-95-E9:WIRELESS" 
03:43:29 radius,debug,packet     EAP-Message = 0x020300061900 
03:43:29 radius,debug,packet     Message-Authenticator = 0x8e8f81bc766ba509c1ed61d4d6b4bc6d 
03:43:29 radius,debug,packet     NAS-Identifier = "CAPsMAN" 
03:43:29 radius,debug,packet     NAS-IP-Address = 198.51.100.33 
03:43:29 radius,debug,packet received Access-Challenge with id 242 from 198.51.100.34:1812 
03:43:29 radius,debug,packet     Signature = 0x9c904f22ff0e3bb45dae06fb522c784a 
03:43:29 radius,debug,packet     EAP-Message = 0x010403e8194074696e672e6465302306 
03:43:29 radius,debug,packet       03551d12041c301a8618687474703a2f 
03:43:29 radius,debug,packet       2f7777772e737461727473736c2e636f 
03:43:29 radius,debug,packet       6d2f30510603551d20044a3048300806 
03:43:29 radius,debug,packet       0667810c010201303c060b2b06010401 
03:43:29 radius,debug,packet       81b537010205302d302b06082b060105 
03:43:29 radius,debug,packet       05070201161f68747470733a2f2f7777 
03:43:29 radius,debug,packet       772e737461727473736c2e636f6d2f70 
03:43:29 radius,debug,packet       6f6c69637930820102060a2b06010401 
03:43:29 radius,debug,packet       d6790204020481f30481f000ee007500 
03:43:29 radius,debug,packet       68f698f81f6482be3a8ceeb9281d4cfc 
03:43:29 radius,debug,packet       71515d6793d444d10a67acbb4f4ffbc4 
03:43:29 radius,debug,packet       000001568da8c1c60000040300463044 
03:43:29 radius,debug,packet       02202ef52672e8f3f6b991b02ceeb3ef 
03:43:29 radius,debug,packet       0091cbc3d3e7548462491cc83fce81c8 
03:43:29 radius,debug,packet       c10f022000c2ffa1239bc8ac1e 
03:43:29 radius,debug,packet     EAP-Message = 0x41eab74e0f446447e2a91790de6d2593 
03:43:29 radius,debug,packet       e2d34f9c51d63a007500a4b90990b418 
03:43:29 radius,debug,packet       581487bb13a2cc67700a3c359804f91b 
03:43:29 radius,debug,packet       dfb8e377cd0ec80ddc10000001568da8 
03:43:29 radius,debug,packet       c1f10000040300463044022004005a1a 
03:43:29 radius,debug,packet       d2fa82dd5ba66bd32554ac73273544d7 
03:43:29 radius,debug,packet       a312e1b43d235cc53ad7cbc702200b80 
03:43:29 radius,debug,packet       1d9f745db7433f684a6406467d03fc1f 
03:43:29 radius,debug,packet       344299e160f2356e496e49e31118300d 
03:43:29 radius,debug,packet       06092a864886f70d01010b0500038201 
03:43:29 radius,debug,packet       0100ae35547982b43f25feed4412df12 
03:43:29 radius,debug,packet       45a806e9dc36b19cf7d6ea255a784513 
03:43:29 radius,debug,packet       afb1cb8d757b1103a972a5ea3eb4d2a9 
03:43:29 radius,debug,packet       9f47fbb50d6d8714dcc300519d985bc9 
03:43:29 radius,debug,packet       d9a74a16d057ad60ca45845ed23a8b8f 
03:43:29 radius,debug,packet       d374dd3da6893e8ed750fbaaf1 
03:43:29 radius,debug,packet     EAP-Message = 0x450efe1d0af3e4157861f62617f87dea 
03:43:29 radius,debug,packet       affb3d6ffd8a6105e1fee8134c7fcd5e 
03:43:29 radius,debug,packet       81480d85cec880f6cd3fcae9cf079654 
03:43:29 radius,debug,packet       13398b6c80ca3d286d61aaf6b12eadcb 
03:43:29 radius,debug,packet       c1c5d5ba5bcedb57801020a355548d2a 
03:43:29 radius,debug,packet       55468c036785a94dc50f924ccf5d6e52 
03:43:29 radius,debug,packet       6d2bb55ec75e940ea5a10c93890aca47 
03:43:29 radius,debug,packet       7b1fb53185677eb497145cdd3b9135cb 
03:43:29 radius,debug,packet       09acc070c06b984e35e512a8e6b006f9 
03:43:29 radius,debug,packet       b0974ac52fae9b47b4e891b062d43d04 
03:43:29 radius,debug,packet       2cb5ef4cfe0005e9308205e5308203cd 
03:43:29 radius,debug,packet       a00302010202106a5dc3e53b4e4fd07b 
03:43:29 radius,debug,packet       691ea5fcec646b300d06092a864886f7 
03:43:29 radius,debug,packet       0d01010b0500307d310b300906035504 
03:43:29 radius,debug,packet       061302494c31163014060355040a130d 
03:43:29 radius,debug,packet       5374617274436f6d204c74642e 
03:43:29 radius,debug,packet     EAP-Message = 0x312b3029060355040b13225365637572 
03:43:29 radius,debug,packet       65204469676974616c20436572746966 
03:43:29 radius,debug,packet       6963617465205369676e696e67312930 
03:43:29 radius,debug,packet       27060355040313205374617274436f6d 
03:43:29 radius,debug,packet       2043657274696669636174696f6e2041 
03:43:29 radius,debug,packet       7574686f72697479301e170d31353132 
03:43:29 radius,debug,packet       31363031303030355a170d3330313231 
03:43:29 radius,debug,packet       363031303030355a3078310b30090603 
03:43:29 radius,debug,packet       5504061302494c31163014060355040a 
03:43:29 radius,debug,packet       130d5374617274436f6d204c74642e31 
03:43:29 radius,debug,packet       293027060355040b1320537461727443 
03:43:29 radius,debug,packet       6f6d2043657274696669636174696f6e 
03:43:29 radius,debug,packet       20417574686f72697479312630240603 
03:43:29 radius,debug,packet       550403131d5374617274436f6d20436c 
03:43:29 radius,debug,packet       61737320312044562053657276657220 
03:43:29 radius,debug,packet       43 
03:43:29 radius,debug,packet     Message-Authenticator = 0xb1d0d6b43f1dc47614b396a52d8ae590 
03:43:29 radius,debug,packet     State = 0xc1bb6d52c3bf74cd71f70b1b63d2de6d 
03:43:30 radius,debug,packet sending Access-Request with id 243 to 198.51.100.34:1812 
03:43:30 radius,debug,packet     Signature = 0x1f03080861b4bd7a28f95e14a5323e11 
03:43:30 radius,debug,packet     Service-Type = 2 
03:43:30 radius,debug,packet     Framed-MTU = 1400 
03:43:30 radius,debug,packet     User-Name = "huber@maier.de" 
03:43:30 radius,debug,packet     State = 0xc1bb6d52c3bf74cd71f70b1b63d2de6d 
03:43:30 radius,debug,packet     NAS-Port-Id = "CAP-6C3B6B7695E3-1-1" 
03:43:30 radius,debug,packet     NAS-Port-Type = 19 
03:43:30 radius,debug,packet     Acct-Session-Id = "8210066c" 
03:43:30 radius,debug,packet     Calling-Station-Id = "A0-88-B4-D7-58-A4" 
03:43:30 radius,debug,packet     Called-Station-Id = "6E-3B-6B-76-95-E9:WIRELESS" 
03:43:30 radius,debug,packet     EAP-Message = 0x020400061900 
03:43:30 radius,debug,packet     Message-Authenticator = 0x88ae4f898522d679df4e16314f42bdb8 
03:43:30 radius,debug,packet     NAS-Identifier = "CAPsMAN" 
03:43:30 radius,debug,packet     NAS-IP-Address = 198.51.100.33 
03:43:30 radius,debug,packet received Access-Challenge with id 243 from 198.51.100.34:1812 
03:43:30 radius,debug,packet     Signature = 0x33db09ac15bb315d8e2b95624e417a04 
03:43:30 radius,debug,packet     EAP-Message = 0x010503e819404130820122300d06092a 
03:43:30 radius,debug,packet       864886f70d01010105000382010f0030 
03:43:30 radius,debug,packet       82010a0282010100daecf4aa88678bb0 
03:43:30 radius,debug,packet       4b626696bfc94468e6c22b4ca033ceac 
03:43:30 radius,debug,packet       79e376c3d156e075af41b40a4580efcb 
03:43:30 radius,debug,packet       8de416e326143e111e41e7d4c93bb228 
03:43:30 radius,debug,packet       d7909fc5f0d1fee538db8a7b3bb45202 
03:43:30 radius,debug,packet       65777e41ed8e0c231c59b38ba18079e2 
03:43:30 radius,debug,packet       c339d78b6c664ea6dcce25662de0993e 
03:43:30 radius,debug,packet       c848588d74aa5ffc2ddd6706ac59e6be 
03:43:30 radius,debug,packet       75b2e9c1059911c33aa025e65bfe8bde 
03:43:30 radius,debug,packet       4c100210b41a1266dab055ad8103bd9a 
03:43:30 radius,debug,packet       b510adc1bfe8398005bc0d57eeb146a2 
03:43:30 radius,debug,packet       a325b4c1f41d9cab4e2efd4ce2bb5ece 
03:43:30 radius,debug,packet       b2ad13c4f9b63c9e2af16a317f77f8b6 
03:43:30 radius,debug,packet       15953f15b3eb03d76b379dc95d 
03:43:30 radius,debug,packet     EAP-Message = 0xa840cb53cf488818e0e85b1b2df33629 
03:43:30 radius,debug,packet       eb7fdd16dfbe081f40c3d0b218a9761a 
03:43:30 radius,debug,packet       d92fcab5d2389b4e5562190203010001 
03:43:30 radius,debug,packet       a382016430820160300e0603551d0f01 
03:43:30 radius,debug,packet       01ff040403020106301d0603551d2504 
03:43:30 radius,debug,packet       16301406082b0601050507030206082b 
03:43:30 radius,debug,packet       0601050507030130120603551d130101 
03:43:30 radius,debug,packet       ff040830060101ff0201003032060355 
03:43:30 radius,debug,packet       1d1f042b30293027a025a02386216874 
03:43:30 radius,debug,packet       74703a2f2f63726c2e73746172747373 
03:43:30 radius,debug,packet       6c2e636f6d2f73667363612e63726c30 
03:43:30 radius,debug,packet       6606082b06010505070101045a305830 
03:43:30 radius,debug,packet       2406082b060105050730018618687474 
03:43:30 radius,debug,packet       703a2f2f6f6373702e73746172747373 
03:43:30 radius,debug,packet       6c2e636f6d303006082b060105050730 
03:43:30 radius,debug,packet       028624687474703a2f2f616961 
03:43:30 radius,debug,packet     EAP-Message = 0x2e737461727473736c2e636f6d2f6365 
03:43:30 radius,debug,packet       7274732f63612e637274301d0603551d 
03:43:30 radius,debug,packet       0e04160414d7914e01c4b0bff8c86793 
03:43:30 radius,debug,packet       449ce733faad930caf301f0603551d23 
03:43:30 radius,debug,packet       0418301680144e0bef1aa4405ba51769 
03:43:30 radius,debug,packet       8730ca346843d041aef2303f0603551d 
03:43:30 radius,debug,packet       200438303630340604551d2000302c30 
03:43:30 radius,debug,packet       2a06082b06010505070201161e687474 
03:43:30 radius,debug,packet       703a2f2f7777772e737461727473736c 
03:43:30 radius,debug,packet       2e636f6d2f706f6c696379300d06092a 
03:43:30 radius,debug,packet       864886f70d01010b050003820201008e 
03:43:30 radius,debug,packet       e73fbde44bba82883d2bd7bb0dab505d 
03:43:30 radius,debug,packet       f7942fccead58723d072a8dd9bc58518 
03:43:30 radius,debug,packet       d42c056b323ec9ad446d7e86738930e5 
03:43:30 radius,debug,packet       dfd82f30384bbe8379105118416cab7b 
03:43:30 radius,debug,packet       9c92b05806799407202d338444 
03:43:30 radius,debug,packet     EAP-Message = 0xc82d2c8013b24229a109fff00f9e4710 
03:43:30 radius,debug,packet       7f1e39f063ae26f8bea762694716bc49 
03:43:30 radius,debug,packet       cfc7549f47a80ebced06db2451599543 
03:43:30 radius,debug,packet       f922a2ed09bf3265505445de0d9bffb4 
03:43:30 radius,debug,packet       d435c1ce89a840fc002b771897d6ebe9 
03:43:30 radius,debug,packet       0f9e2a608a3ca37a5f8213d60c2dc17b 
03:43:30 radius,debug,packet       9c6b57f73a96536d414f74fcf52af3f5 
03:43:30 radius,debug,packet       a8216dfab36279298e04defa5daf5f7f 
03:43:30 radius,debug,packet       3a01072cd5767be4d8e1eea29989abf7 
03:43:30 radius,debug,packet       8717e137b3e185613e8ec63adecff944 
03:43:30 radius,debug,packet       6c1be01261b25d93996a3e977839c1c4 
03:43:30 radius,debug,packet       e21844e0df9d91bdf5ccb6ab95ad0cb1 
03:43:30 radius,debug,packet       caba232880918ef3d3d6688da32b502a 
03:43:30 radius,debug,packet       e6c6b48f9e63a7625e1576d189e2b0e4 
03:43:30 radius,debug,packet       22ab782222351f4ca5a7df89e2e06d37 
03:43:30 radius,debug,packet       0a 
03:43:30 radius,debug,packet     Message-Authenticator = 0x7de4842ae4ba90547c74ba72e1e192ff 
03:43:30 radius,debug,packet     State = 0xc1bb6d52c2be74cd71f70b1b63d2de6d 
03:43:30 radius,debug,packet sending Access-Request with id 244 to 198.51.100.34:1812 
03:43:30 radius,debug,packet     Signature = 0x40095b2678081b8774342676fbaee23e 
03:43:30 radius,debug,packet     Service-Type = 2 
03:43:30 radius,debug,packet     Framed-MTU = 1400 
03:43:30 radius,debug,packet     User-Name = "huber@maier.de" 
03:43:30 radius,debug,packet     State = 0xc1bb6d52c2be74cd71f70b1b63d2de6d 
03:43:30 radius,debug,packet     NAS-Port-Id = "CAP-6C3B6B7695E3-1-1" 
03:43:30 radius,debug,packet     NAS-Port-Type = 19 
03:43:30 radius,debug,packet     Acct-Session-Id = "8210066c" 
03:43:30 radius,debug,packet     Calling-Station-Id = "A0-88-B4-D7-58-A4" 
03:43:30 radius,debug,packet     Called-Station-Id = "6E-3B-6B-76-95-E9:WIRELESS" 
03:43:30 radius,debug,packet     EAP-Message = 0x020500061900 
03:43:30 radius,debug,packet     Message-Authenticator = 0x3439a6b7907ae3ad64469ba8c9418875 
03:43:30 radius,debug,packet     NAS-Identifier = "CAPsMAN" 
03:43:30 radius,debug,packet     NAS-IP-Address = 198.51.100.33 
03:43:30 radius,debug,packet received Access-Challenge with id 244 from 198.51.100.34:1812 
03:43:30 radius,debug,packet     Signature = 0x6e107f2c7896cbea1ef63db70fe5729f 
03:43:30 radius,debug,packet     EAP-Message = 0x010602201900d4148a8f1519b5dec1a8 
03:43:30 radius,debug,packet       9df1d65bc3da36deed62aaceeb196ed3 
03:43:30 radius,debug,packet       e1160ac30ec81dc36ef342890d601659 
03:43:30 radius,debug,packet       69ad4bc1864666075d88070b71892294 
03:43:30 radius,debug,packet       6a1b036c0b2a4e9e633e959dab43748e 
03:43:30 radius,debug,packet       1a431e859075af294d1eeecfdc5329ba 
03:43:30 radius,debug,packet       3f1def5eb0b8cfac28033b42f7c5daa2 
03:43:30 radius,debug,packet       b3ced2990bef73f874a4a39ca618ad8b 
03:43:30 radius,debug,packet       2a7bb067046b4035fd57686e4f9bc054 
03:43:30 radius,debug,packet       589f566405a29fa2ac2574e8f0d8f41b 
03:43:30 radius,debug,packet       8091abb76ad7b2c19c26e2f509a94b37 
03:43:30 radius,debug,packet       3692e3cd6eb57c3ef6d32c85eea5f645 
03:43:30 radius,debug,packet       163d1df66a5a16160301014b0c000147 
03:43:30 radius,debug,packet       03001741046b29323946fbe64d84d895 
03:43:30 radius,debug,packet       2e9dc7c1c7f7496e7f60307011d19a41 
03:43:30 radius,debug,packet       10b8e5af781c585bf552a5e2b8 
03:43:30 radius,debug,packet     EAP-Message = 0x5042c817d157f7af7542d05f0b8d6c8e 
03:43:30 radius,debug,packet       b1c521263928743601000d636f028759 
03:43:30 radius,debug,packet       dee622ef9dc897aebcd1974cf9ac6fa0 
03:43:30 radius,debug,packet       9495d72c51134500fb7c50834a448378 
03:43:30 radius,debug,packet       ab721d00164f52f62e47bff6a97e7fb4 
03:43:30 radius,debug,packet       5be9fe618d072c395496ad57a2510dde 
03:43:30 radius,debug,packet       fa2c65ad7394f26fde2e681eb525e178 
03:43:30 radius,debug,packet       95c2b322a5f76e1fb46e7f3583c8733f 
03:43:30 radius,debug,packet       1d1538426d3ad1d3bedb82a2177c4ddb 
03:43:30 radius,debug,packet       1b52745098bbe9c8500b756d4f25213b 
03:43:30 radius,debug,packet       a8f707ab1033b7a7e745d7a2fb9f8d3e 
03:43:30 radius,debug,packet       1636d06c5a1544ab7ab50180d83c4834 
03:43:30 radius,debug,packet       f8194bd89743c017aa1bf3e45688a7f6 
03:43:30 radius,debug,packet       9c9418a1f207d0387589b0126772651d 
03:43:30 radius,debug,packet       aad88196a297a25e92566a31b37136b5 
03:43:30 radius,debug,packet       074b89851407ff9278f16fa94e 
03:43:30 radius,debug,packet     EAP-Message = 0x0701d435a5c750ceba1dcefd752a00c0 
03:43:30 radius,debug,packet       f2b4a6b4c319ec6cd25acb096e160301 
03:43:30 radius,debug,packet       00040e000000 
03:43:30 radius,debug,packet     Message-Authenticator = 0x0e5fa06e6f3e4bc5aeae95491d2339c7 
03:43:30 radius,debug,packet     State = 0xc1bb6d52c5bd74cd71f70b1b63d2de6d 
03:43:30 radius,debug,packet sending Access-Request with id 245 to 198.51.100.34:1812 
03:43:30 radius,debug,packet     Signature = 0x6cfca301bf3c86cb691c53f919b1641b 
03:43:30 radius,debug,packet     Service-Type = 2 
03:43:30 radius,debug,packet     Framed-MTU = 1400 
03:43:30 radius,debug,packet     User-Name = "huber@maier.de" 
03:43:30 radius,debug,packet     State = 0xc1bb6d52c5bd74cd71f70b1b63d2de6d 
03:43:30 radius,debug,packet     NAS-Port-Id = "CAP-6C3B6B7695E3-1-1" 
03:43:30 radius,debug,packet     NAS-Port-Type = 19 
03:43:30 radius,debug,packet     Acct-Session-Id = "8210066c" 
03:43:30 radius,debug,packet     Calling-Station-Id = "A0-88-B4-D7-58-A4" 
03:43:30 radius,debug,packet     Called-Station-Id = "6E-3B-6B-76-95-E9:WIRELESS" 
03:43:30 radius,debug,packet     EAP-Message = 0x02060090198000000086160301004610 
03:43:30 radius,debug,packet       000042410430e6273200b886f6ec0784 
03:43:30 radius,debug,packet       25238bddb09e5a05f24d5263d64286d1 
03:43:30 radius,debug,packet       5149e61f564a200a05561851b376c88b 
03:43:30 radius,debug,packet       25289660ea8059f875b9fcdd648d759d 
03:43:30 radius,debug,packet       e86a49d00f1403010001011603010030 
03:43:30 radius,debug,packet       08112980457c2cafde104639f365e45f 
03:43:30 radius,debug,packet       e165092deeb415889ffb607ce1c853b0 
03:43:30 radius,debug,packet       5b369574a185abb76b64b57c77778812 
03:43:30 radius,debug,packet     Message-Authenticator = 0xa7f26a31454a4a8102059a620db9d7a4 
03:43:30 radius,debug,packet     NAS-Identifier = "CAPsMAN" 
03:43:30 radius,debug,packet     NAS-IP-Address = 198.51.100.33 
03:43:30 radius,debug,packet received Access-Challenge with id 245 from 198.51.100.34:1812 
03:43:30 radius,debug,packet     Signature = 0x11c9b338b5b8a55ae4cc213c759b8651 
03:43:30 radius,debug,packet     EAP-Message = 0x01070041190014030100010116030100 
03:43:30 radius,debug,packet       30ab13238f6949f5a033f0abfdf72c16 
03:43:30 radius,debug,packet       d7ed93183a0b3fd0cde3f0aa7a2ccbc0 
03:43:30 radius,debug,packet       6920741721c65b97f6b6ae85c2389e4a 
03:43:30 radius,debug,packet       29 
03:43:30 radius,debug,packet     Message-Authenticator = 0xdc1303f82a8ca43b3e5b28e51448fb61 
03:43:30 radius,debug,packet     State = 0xc1bb6d52c4bc74cd71f70b1b63d2de6d 
03:43:30 radius,debug,packet sending Access-Request with id 246 to 198.51.100.34:1812 
03:43:30 radius,debug,packet     Signature = 0xd3fe71a95fb573e4eb38665e147fa2ff 
03:43:30 radius,debug,packet     Service-Type = 2 
03:43:30 radius,debug,packet     Framed-MTU = 1400 
03:43:30 radius,debug,packet     User-Name = "huber@maier.de" 
03:43:30 radius,debug,packet     State = 0xc1bb6d52c4bc74cd71f70b1b63d2de6d 
03:43:30 radius,debug,packet     NAS-Port-Id = "CAP-6C3B6B7695E3-1-1" 
03:43:30 radius,debug,packet     NAS-Port-Type = 19 
03:43:30 radius,debug,packet     Acct-Session-Id = "8210066c" 
03:43:30 radius,debug,packet     Calling-Station-Id = "A0-88-B4-D7-58-A4" 
03:43:30 radius,debug,packet     Called-Station-Id = "6E-3B-6B-76-95-E9:WIRELESS" 
03:43:30 radius,debug,packet     EAP-Message = 0x020700061900 
03:43:30 radius,debug,packet     Message-Authenticator = 0x42565d255007119d0d122fc339b11c5f 
03:43:30 radius,debug,packet     NAS-Identifier = "CAPsMAN" 
03:43:30 radius,debug,packet     NAS-IP-Address = 198.51.100.33 
03:43:30 radius,debug,packet received Access-Challenge with id 246 from 198.51.100.34:1812 
03:43:30 radius,debug,packet     Signature = 0xb7156d23a14fb3ae7b59c915471ce374 
03:43:30 radius,debug,packet     EAP-Message = 0x0108002b19001703010020de01b1062f 
03:43:30 radius,debug,packet       f6496a0b2abd347516233c95eb1da09f 
03:43:30 radius,debug,packet       baa8ebee7480220fbeaea3 
03:43:30 radius,debug,packet     Message-Authenticator = 0xeb9035b30d5db51370d4db090efc0a14 
03:43:30 radius,debug,packet     State = 0xc1bb6d52c7b374cd71f70b1b63d2de6d 
03:43:30 radius,debug,packet sending Access-Request with id 247 to 198.51.100.34:1812 
03:43:30 radius,debug,packet     Signature = 0xbdde72c34fca83528dc0f37782401217 
03:43:30 radius,debug,packet     Service-Type = 2 
03:43:30 radius,debug,packet     Framed-MTU = 1400 
03:43:30 radius,debug,packet     User-Name = "huber@maier.de" 
03:43:30 radius,debug,packet     State = 0xc1bb6d52c7b374cd71f70b1b63d2de6d 
03:43:30 radius,debug,packet     NAS-Port-Id = "CAP-6C3B6B7695E3-1-1" 
03:43:30 radius,debug,packet     NAS-Port-Type = 19 
03:43:30 radius,debug,packet     Acct-Session-Id = "8210066c" 
03:43:30 radius,debug,packet     Calling-Station-Id = "A0-88-B4-D7-58-A4" 
03:43:30 radius,debug,packet     Called-Station-Id = "6E-3B-6B-76-95-E9:WIRELESS" 
03:43:30 radius,debug,packet     EAP-Message = 0x0208003b190017030100300a794debdc 
03:43:30 radius,debug,packet       99066c0fc331caeaf6999c8f08950009 
03:43:30 radius,debug,packet       7012607d9358bdfad6ee436988be48e8 
03:43:30 radius,debug,packet       3f2f3c6489f842595a7d18 
03:43:30 radius,debug,packet     Message-Authenticator = 0x64893d2cc79fa21c5c028aa5fea56d02 
03:43:30 radius,debug,packet     NAS-Identifier = "CAPsMAN" 
03:43:30 radius,debug,packet     NAS-IP-Address = 198.51.100.33 
03:43:30 radius,debug,packet received Access-Challenge with id 247 from 198.51.100.34:1812 
03:43:30 radius,debug,packet     Signature = 0x06d8207876f37db619e03909fc4dd408 
03:43:30 radius,debug,packet     EAP-Message = 0x0109004b19001703010040b821a243d0 
03:43:30 radius,debug,packet       00f9af78e277fafe6614826076c42304 
03:43:30 radius,debug,packet       3af72fdee82dc61f23ffcefb4cc297fa 
03:43:30 radius,debug,packet       a1c045adad54f58e0b0244221158db84 
03:43:30 radius,debug,packet       08ce7c0d1f5f22ea0b977c 
03:43:30 radius,debug,packet     Message-Authenticator = 0xaf772a1ffdac5a40cd413d7fe0bca318 
03:43:30 radius,debug,packet     State = 0xc1bb6d52c6b274cd71f70b1b63d2de6d 
03:43:30 radius,debug,packet sending Access-Request with id 248 to 198.51.100.34:1812 
03:43:30 radius,debug,packet     Signature = 0x795ce5a5d40a4aa8a5d32a65f30a55f0 
03:43:30 radius,debug,packet     Service-Type = 2 
03:43:30 radius,debug,packet     Framed-MTU = 1400 
03:43:30 radius,debug,packet     User-Name = "huber@maier.de" 
03:43:30 radius,debug,packet     State = 0xc1bb6d52c6b274cd71f70b1b63d2de6d 
03:43:30 radius,debug,packet     NAS-Port-Id = "CAP-6C3B6B7695E3-1-1" 
03:43:30 radius,debug,packet     NAS-Port-Type = 19 
03:43:30 radius,debug,packet     Acct-Session-Id = "8210066c" 
03:43:30 radius,debug,packet     Calling-Station-Id = "A0-88-B4-D7-58-A4" 
03:43:30 radius,debug,packet     Called-Station-Id = "6E-3B-6B-76-95-E9:WIRELESS" 
03:43:30 radius,debug,packet     EAP-Message = 0x0209006b190017030100606ae42580bb 
03:43:30 radius,debug,packet       106d1207ea2ca18b4a47de3dda25a8b4 
03:43:30 radius,debug,packet       7f2623031a820569ac6b81843839da0b 
03:43:30 radius,debug,packet       4d39df58f34818e59ac92969c2845b29 
03:43:30 radius,debug,packet       30c047f9449df5fda29433423bad09b2 
03:43:30 radius,debug,packet       dda17e5bbc88aad62fd6c42de59264aa 
03:43:30 radius,debug,packet       c0985d527e6568936d3895 
03:43:30 radius,debug,packet     Message-Authenticator = 0xe772f73f80de45f48c1f69125e7585b6 
03:43:30 radius,debug,packet     NAS-Identifier = "CAPsMAN" 
03:43:30 radius,debug,packet     NAS-IP-Address = 198.51.100.33 
03:43:30 radius,debug,packet received Access-Challenge with id 248 from 198.51.100.34:1812 
03:43:30 radius,debug,packet     Signature = 0xf7ab606dd0e2d7d6afe3b2ceee73831d 
03:43:30 radius,debug,packet     EAP-Message = 0x010a005b1900170301005041bd8fac56 
03:43:30 radius,debug,packet       3a205f6c6c3511a79107e75a4b55fca1 
03:43:30 radius,debug,packet       ffda4420bd15d26abcc1d1b44a207667 
03:43:30 radius,debug,packet       c1c3674e9b6e0a678b9016a55701f40f 
03:43:30 radius,debug,packet       4581278312e0365400e56f46593eb609 
03:43:30 radius,debug,packet       fe69694300d5728bf0ad9b 
03:43:30 radius,debug,packet     Message-Authenticator = 0xa288bc4f6d4aa9b7318f331abcb8d914 
03:43:30 radius,debug,packet     State = 0xc1bb6d52c9b174cd71f70b1b63d2de6d 
03:43:30 radius,debug,packet sending Access-Request with id 249 to 198.51.100.34:1812 
03:43:30 radius,debug,packet     Signature = 0xf2f63fc37d4b619d68315ba38d833a18 
03:43:30 radius,debug,packet     Service-Type = 2 
03:43:30 radius,debug,packet     Framed-MTU = 1400 
03:43:30 radius,debug,packet     User-Name = "huber@maier.de" 
03:43:30 radius,debug,packet     State = 0xc1bb6d52c9b174cd71f70b1b63d2de6d 
03:43:30 radius,debug,packet     NAS-Port-Id = "CAP-6C3B6B7695E3-1-1" 
03:43:30 radius,debug,packet     NAS-Port-Type = 19 
03:43:30 radius,debug,packet     Acct-Session-Id = "8210066c" 
03:43:30 radius,debug,packet     Calling-Station-Id = "A0-88-B4-D7-58-A4" 
03:43:30 radius,debug,packet     Called-Station-Id = "6E-3B-6B-76-95-E9:WIRELESS" 
03:43:30 radius,debug,packet     EAP-Message = 0x020a002b19001703010020b020e7d404 
03:43:30 radius,debug,packet       5a294752e394084ae591e79404fa60cb 
03:43:30 radius,debug,packet       fed40fe1070d2a88dec862 
03:43:30 radius,debug,packet     Message-Authenticator = 0x49345cb43866a619c1e3508e50e60ee6 
03:43:30 radius,debug,packet     NAS-Identifier = "CAPsMAN" 
03:43:30 radius,debug,packet     NAS-IP-Address = 198.51.100.33 
03:43:31 radius,debug,packet received Access-Challenge with id 249 from 198.51.100.34:1812 
03:43:31 radius,debug,packet     Signature = 0x740450c839ce3f9e6f091a0072b1e31f 
03:43:31 radius,debug,packet     EAP-Message = 0x010b002b190017030100200b748b0dde 
03:43:31 radius,debug,packet       6486bda29a6968c2b6be0da9452c69ae 
03:43:31 radius,debug,packet       d819e0999c6ba0296b38ec 
03:43:31 radius,debug,packet     Message-Authenticator = 0x0e7fef057396a517b57a691fdb55002f 
03:43:31 radius,debug,packet     State = 0xc1bb6d52c8b074cd71f70b1b63d2de6d 
03:43:31 radius,debug,packet sending Access-Request with id 250 to 198.51.100.34:1812 
03:43:31 radius,debug,packet     Signature = 0x9de071e290e6770583f664e5da630faf 
03:43:31 radius,debug,packet     Service-Type = 2 
03:43:31 radius,debug,packet     Framed-MTU = 1400 
03:43:31 radius,debug,packet     User-Name = "huber@maier.de" 
03:43:31 radius,debug,packet     State = 0xc1bb6d52c8b074cd71f70b1b63d2de6d 
03:43:31 radius,debug,packet     NAS-Port-Id = "CAP-6C3B6B7695E3-1-1" 
03:43:31 radius,debug,packet     NAS-Port-Type = 19 
03:43:31 radius,debug,packet     Acct-Session-Id = "8210066c" 
03:43:31 radius,debug,packet     Calling-Station-Id = "A0-88-B4-D7-58-A4" 
03:43:31 radius,debug,packet     Called-Station-Id = "6E-3B-6B-76-95-E9:WIRELESS" 
03:43:31 radius,debug,packet     EAP-Message = 0x020b002b19001703010020ac6a7c9674 
03:43:31 radius,debug,packet       b779295b536433c77b125c40b8b554b4 
03:43:31 radius,debug,packet       1e3fd187c8080acb970712 
03:43:31 radius,debug,packet     Message-Authenticator = 0xd66e4bbef81b461042c960c5d1141ca3 
03:43:31 radius,debug,packet     NAS-Identifier = "CAPsMAN" 
03:43:31 radius,debug,packet     NAS-IP-Address = 198.51.100.33 
03:43:31 radius,debug,packet received Access-Accept with id 250 from 198.51.100.34:1812 
03:43:31 radius,debug,packet     Signature = 0xdb096f77bd316900fd55c4b5149116d0 
03:43:31 radius,debug,packet     MS-MPPE-Recv-Key = 0xb76dcd6498d849a10bea3e3e3131697f 
03:43:31 radius,debug,packet       8504f1f8c3f691c683bbf93156b4baa9 
03:43:31 radius,debug,packet       eb1df591c88961cc33627132992dd4ec 
03:43:31 radius,debug,packet       3966 
03:43:31 radius,debug,packet     MS-MPPE-Send-Key = 0xbb6aeb5c1b7fbd84ff9ad79a118e1e63 
03:43:31 radius,debug,packet       aba7980fd3dc551cad845c90e55b0462 
03:43:31 radius,debug,packet       ca99e0d3407151bb2f88de83f18c635d 
03:43:31 radius,debug,packet       744d 
03:43:31 radius,debug,packet     EAP-Message = 0x030b0004 
03:43:31 radius,debug,packet     Message-Authenticator = 0xd7fedea48e69afe161343275a791b834 
03:43:31 radius,debug,packet     User-Name = "huber@maier.de"

well, after all changeing… user is till on VLAN 1

(295)   Mikrotik_Wireless_VLANID = 20
(295)   Mikrotik_Wireless_VLANIDtype = 0

Your AAA sever is returning VLAN number, BUT, it is also returning a VLANIDtype of 0, which means do NOT tag the traffic. You need to return VLANIDtype = 2, not 0 (https://wiki.mikrotik.com/wiki/Manual:Interface/Wireless#VLAN_tagging)

vlan-mode (no tag | user service tag | use tag; Default: no tag)	Three VLAN modes are available:
no-tag - AP don't use VLAN tagging
use-service-tag - VLAN ID use 802.1ad tag type
use-tag - VLAN ID use 802.1q tag type

0 = no-tag
1 = use-service-tag
2 = use-tag

hi savage
hi everone

thanks for the input, and correction! i’ve made it, but still have vlanid one in mikrotik

There’s something strange with your radius…

Your last access-challenge, is request 296 in your radius log, and THAT request, includes the VLAN parameters. However, request 297 (which is your access-accept), does NOT include any VLAN parameters.

So somewhere between the access-challenge and the access-accept, you stop sending the VLAN parameters back to your Tik. It’s also strange that you do 10+ access-challenges. It shouldn’t be that many. Something isn’t playing correctly with your FreeRadius setup.

definitely…

DorianGray, can you please post a radtest?

That, is incorrect. It needs to be updated, just FYI…

I just had a look, and we send (successfully using this):
Mikrotik-Wireless-VLANID (26, int)
Mikrotik-Wireless-VLANID-Type (27, int)

Whilst the physical names of the attributes aren’t that important (as long as the IDs and types match in the dictionaries), the values for VLANID-Type, are incorrect on the WIKI (Mikrotik-Wireless-VLANID & Mikrotik-Wireless-VLANID-Type are standard attributes included in the dictionary.mikrotik included in FreeRadius however).

VLANID-Type is 0 no no tagging, 1 for 802.1ad, and 2 for 802.1q

We send for example:

Fri Feb 24 13:20:54 2017
	Packet-Type = Access-Accept
	Mikrotik-Wireless-VLANID-Type = 2
	Mikrotik-Wireless-VLANID = 500
	Mikrotik-Wireless-Skip-Dot1x = 1
	Mikrotik-Wireless-Forward = 0

Back to the topic however:
After closely looking at the OPs logs (and matching the MT log with the FR logs in terms of radius requests), EAP never stops challenging. The EAP session isn’t authenticated correctly, and there never seem to be any valid attributes being sent from FR to MT other than EAP challenges. OP, your Radius server’s EAP isn’t working Get that working first, and then worry about the attributes that’s being sent after the EAP negotiation has completed.

I can’t see clearly from the logs as to WHY EAP neogotiation is failing. It could be something with the chipers / encryption / certificates. That’s mostly where most people get stuck with EAP from my experience.

Well, problem solved!
thanks to pukkita,
thanks to savage,
thanks to the community!

My Problem was, the VLANIDs were set in the inner-tunnel and not transfered to the outer-tunnel!

in eap.conf

use_tunneled_reply = yes

didn’t work for me

so i activated in sites-enabled/inner-tunnel

        update {
                &outer.session-state: += &reply:
        }

and


        update outer.session-state {
                MS-MPPE-Encryption-Policy !* ANY
                MS-MPPE-Encryption-Types !* ANY
                MS-MPPE-Send-Key !* ANY
                MS-MPPE-Recv-Key !* ANY
                Message-Authenticator !* ANY
                EAP-Message !* ANY
                Proxy-State !* ANY
        }

so.. my radius users are getting now the proper vlan


i also used:

Mikrotik_Wireless_VLANID
and
Mikrotik_Wireless_VLANIDtype

Reviving an old but relevant thread. I’ve followed everything in this thread as well as http://forum.mikrotik.com/t/solved-freeradius-aaa-assign-users-to-groups/47140/1 http://forum.mikrotik.com/t/capsman-dynamic-vlan/124118/1 http://forum.mikrotik.com/t/capsman-freeradius-user-based-vlan/99112/1 http://forum.mikrotik.com/t/feature-request-dynamic-vlan-assignment-wlan/111334/1 http://forum.mikrotik.com/t/wlan-client-isolation-in-dynamic-vlan-assignment/123458/1 http://forum.mikrotik.com/t/add-dynamic-vlan-assignment/76436/1

The issue I have is that I get this error:
dhcp,warning VL60 DHCP offering lease 172.16.60.60 for B0:65:BD:36:XX:XX without success (samsung, not apple)

This error only occurs when I login with WPA2-EAP with freeradius assigned vlan.

WPA2-PSK (not radius) tagged vlan is fine.
WPA2-EAP freeradius user with no-vlan (untagged vlan) is also fine.

What might be the issue. ROS 6.44.3 on HAPAC2.

Thank you.

Here is the radius log:

23:06:57 radius,debug new request 58:2e0 code=Access-Request service=wireless called-id=66-D1-54-3F-XX-XX:RADIUSTEST
23:06:57 radius,debug sending 58:2e0 to 192.168.86.59:1812
23:06:57 radius,debug,packet sending Access-Request with id 164 to 192.168.86.59:1812
23:06:57 radius,debug,packet Signature = 0x4d00fe3e97e6f42fd74f0eff0ac31252
23:06:57 radius,debug,packet Service-Type = 2
23:06:57 radius,debug,packet Framed-MTU = 1400
23:06:57 radius,debug,packet User-Name = “vl60”
23:06:57 radius,debug,packet State = 0x6dd7aae665deb30aba21bd840b612524
23:06:57 radius,debug,packet NAS-Port-Id = “HAPACLITE-1-2”
23:06:57 radius,debug,packet NAS-Port-Type = 19
23:06:57 radius,debug,packet Acct-Session-Id = “82300029”
23:06:57 radius,debug,packet Calling-Station-Id = “B0-65-BD-36-XX-XX”
23:06:57 radius,debug,packet Called-Station-Id = “66-D1-54-3F-XX-XX:RADIUSTEST”
23:06:57 radius,debug,packet EAP-Message = 0x0209002b19001703010020cbdc706573
23:06:57 radius,debug,packet 85b670a0fe74c552022c034b1b621794
23:06:57 radius,debug,packet 4f3759c13b6e47d4c10b67
23:06:57 radius,debug,packet Message-Authenticator = 0xf5cc5b324de16aeadeb1b57417764f9e
23:06:57 radius,debug,packet NAS-Identifier = “HAPAC2”
23:06:57 radius,debug,packet NAS-IP-Address = 192.168.86.1
23:06:57 radius,debug,packet received Access-Accept with id 164 from 192.168.86.59:1812
23:06:57 radius,debug,packet Signature = 0x022a3492791cdde7f7ba3c7337d8f63c
23:06:57 radius,debug,packet MT-Wireless-VLAN-ID = 60
23:06:57 radius,debug,packet MT-Wireless-VLAN-ID-Type = 0
23:06:57 radius,debug,packet User-Name = “vl60”
23:06:57 radius,debug,packet MS-MPPE-Recv-Key = 0xa77f4eb50d0792ca2040d24a142151e8
23:06:57 radius,debug,packet d4cd14be1b5d0dece1ccc145e62b473d
23:06:57 radius,debug,packet d03b83912c96cd7b910c8a61ce9f03b8
23:06:57 radius,debug,packet bf91
23:06:57 radius,debug,packet MS-MPPE-Send-Key = 0xaf5765190f02b1179860f6de54de7da0
23:06:57 radius,debug,packet 9efa9e1aac7d7ed435d9ee3cca115f04
23:06:57 radius,debug,packet 24c56fd8337418c2f7993c58c04d7475
23:06:57 radius,debug,packet 48f9
23:06:57 radius,debug,packet EAP-Message = 0x03090004
23:06:57 radius,debug,packet Message-Authenticator = 0xe749dfa7dd46e58f859e138dbae72441
23:06:57 radius,debug received reply for 58:2e0
23:06:58 dhcp,warning VL60 DHCP offering lease 172.16.60.60 for B0:65:BD:36:XX:XX without success

/caps-man configuration
add datapath.bridge=bridge1 mode=ap name=“RADIUS TEST”
security.authentication-types=wpa2-eap security.eap-methods=passthrough security.encryption=aes-ccm
security.group-encryption=aes-ccm ssid=RADIUSTEST

Might it have to do with the fact that the radius server is on vlan86 while the client (as instructed by freeradius) is to be on vlan60? The dhcp server is on the mikrotik router, as is capsman. The client is logging in from a cap.

Might a firewall rule (or something) be blocking the dhcp offers from being accepted? Perhaps a vlan mismatch between the client and dhcp server somewhere during the handover from freeradius back to capsman/dhcp-server.

do u have more information about ur setup? any configs? freeradius config?

Is the DHCP Working? if the VLAN is not dynamicly set?

Thank you for your response Dorian.

I will post that data soon. I am not sure this is even a radius issue. I am now testing with Tekradius LT as instructed here https://mum.mikrotik.com/presentations/CN16/presentation_3107_1461137144.pdf.

I have bypassed DHCP and placed a static address 192.168.86.10 on the client constantly pinging 192.168.86.1 (gateway for vlan 86).

---- Test 1 ----

When the capsman ssid config is the following:
add datapath.bridge=bridge1 datapath.vlan-mode=use-tag datapath.vlan-id=86
security.authentication-types=wpa2-eap security.eap-methods=passthrough

The radius authenticates the wifi client and the client pings gateway just fine.

The radius attribute for the above user is pure user/password checking, without Mikrotik-Wireless-VLANID and Mikrotik-Wireless-VLANIDtype.

---- Test 2 ----

However when I add:
Mikrotik-Wireless-VLANID = 86
Mikrotik-Wireless-VLANIDtype = 0 (I also tried 2)

and modified the capsman ssid config into:
add datapath.bridge=bridge1 security.authentication-types=wpa2-eap security.eap-methods=passthrough

The client pings to 86.1 fails. I don’t think capsman even placed the client in the right vlan.

— Test 3 ----

I even tried (just as the mum pdf instructions):
Mikrotik-Wireless-VLANID = 86 without Mikrotik-Wireless-VLANIDtype = 0

and modified the capsman ssid config into:
add datapath.bridge=bridge1 datapath.vlan-mode=use-tag
security.authentication-types=wpa2-eap security.eap-methods=passthrough

the result is the same, failure to ping gateway at 86.1

Let’s not talk DHCP. The problem is more basic. It seems like capsman isn’t processing Mikrotik-Wireless-VLANID and Mikrotik-Wireless-VLANIDtype properly. The client doesn’t seem to be in the right vlan.

May I ask if you can share your capsman (or wireless) configuration for your ssid that correctly assigns the dynamic vlan. Although, I don’t think it’s this. Perhaps it has to do with the vlan tagging of this cap interface to the bridge.

I’ve been testing with capsman. I will test next without capsman, with a simple virtual ap. I have a feeling the jackpot is coming my way.

JACKPOT!

With a manually created SSID (Virtual AP), the radius properly authenticates the user and places the user in the right vlan. The only issue is I had to ipconfig/release and /renew when switching between different users in different vlans. In production, this should not be an issue.

As I suspected, CAPSMAN (most likely the way I have setup CAPSMAN) is not processing Mikrotik-Wireless-VLANID and Mikrotik-Wireless-VLANIDtype properly.

I think it has to do with the dynamic cap interface to the bridge and bridge vlan tagging.

I know exactly what’s happening now. This is the issue:

If I have 200 CAPs, I have to add all 200 CAP Interfaces manually to the bridge? This doesn’t seem like the normal Mikrotik way. I must be missing something.

Are you using CAPSMAN manager forwarding mode?

Thesis:
=> You have to specifiy “vlan-id=” with “vlan-mode=use-tag”. “vlan-id=” must not be empty within datapath configuration

It worked the same for me, but I had to modify something else .. I attached my modification

nano /etc/freeradius/3.0/sites-enabled/inner-tunnel

post-auth {

if (1) {

These attributes are for the inner-tunnel only,

and MUST NOT be copied to the outer reply.

update reply {
User-Name !* ANY
Message-Authenticator !* ANY
EAP-Message !* ANY
Proxy-State !* ANY
MS-MPPE-Encryption-Types !* ANY
MS-MPPE-Encryption-Policy !* ANY
MS-MPPE-Send-Key !* ANY
MS-MPPE-Recv-Key !* ANY
}

Copy the inner reply attributes to the outer

session-state list. The post-auth policy will take

care of copying the outer session-state list to the

outer reply.

update {
&outer.session-state: += &reply:
}
update outer.session-state {
MS-MPPE-Encryption-Policy !* ANY
MS-MPPE-Encryption-Types !* ANY
MS-MPPE-Send-Key !* ANY
MS-MPPE-Recv-Key !* ANY
Message-Authenticator !* ANY
EAP-Message !* ANY
Proxy-State !* ANY
}

}

Hello @anuser @ashpri,

I’m facing the same issue with bridge/vlan problems.

I’m trying to do the same with the exception that I use Windows NPS.

Does someone achieve this kind setup ? One SSID + CAPsMAM Forwarding + Dynamic VLAN (radius/nps) ?

I’ve try many differents setups, and It always ends up the same: dyn cap interface fall into default bridge vlan(1) when someone connects to the EAP WiFi…

as @ashpri, I have to add manually each (dyn vlan) cap interfaces for each CAP(2G/5G) to make it work:

the major issue is if, for example, the CAP reboots, the cap interfaces in the bridge vlan are replaced by “ether1” and I have to repeat manually steps again…

I try to forward all wifi trafic to the manager while using dynamics/assigned VLAN with Radius (Windows NPS).

The Capsman automatically creates the necessary VLAN membership in the bridge based on the configured VLAN ID in the Capsman data path. If a different VLAN ID is given via access list or radius, this does not work because the tagged VLAN membership is missing.
This can be tested by manually setting the appropriate memberships, then it works.
Since the caps interfaces are dynamic (changing IDs?), this configuration is lost after a reboot or reprovisioning.
If Capsman is not operated in forwarding mode but in local mode, you can supply the physical WLAN interfaces in the caps with the appropriate VLANs and this configuration remains in place.

I think Mikrotik Support should be able to confirm this and consider it a feature request.
The Capsman Datapath configuration should actually allow multiple VLANs, one as default and the rest to ensure dynamic VLAN assignment on the bridges.
At the moment, an SSID with several VLANs only works in local mode after the VLAN memberships have been set manually.