search

FreeRADIUS / freeradius-server

FreeRADIUS - A multi-protocol policy server.
http://freeradius.org
GNU General Public License v2.0
2.11k stars 1.08k forks source link

[defect]: segfault crash during EAP-TLS authentication in 3.0.25 and 3.2.1 #4831

Closed CryptoproctaX closed 1 year ago

CryptoproctaX commented 1 year ago

What type of defect/bug is this?

Crash or memory corruption (segv, abort, etc...)

How can the issue be reproduced?

The Server was freshly installed under Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-56-generic x86_64). FreeRADIUS version 3.0.26 was first installed from the Ubuntu package sources. Due to the problem described here, I later updated FreeRadius to version 3.2.1 via the networkradius.com package sources. The problem occurs in both versions.

The problem is that FreeRadius crashes with a segfault on every EAP-TLS authentication attempt.

The server configuration is essentially unchanged. I only changed what was necessary to include my certificates and to define the Radius clients and a test user.

The certificates were generated by an external CA. They are EC certificates.

The authentication attempts of the test user were done from an iPhone with iOS 16.1.1.

Log output from the FreeRADIUS daemon

root@vsrv-dus6-rad01:~# freeradius -X
FreeRADIUS Version 3.2.1
Copyright (C) 1999-2022 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...

***
***
section removed because it was too long to post it on github
***
***

main {
 security {
    user = "freerad"
    group = "freerad"
    allow_core_dumps = no
 }
    name = "freeradius"
    prefix = "/usr"
    localstatedir = "/var"
    logdir = "/var/log/freeradius"
    run_dir = "/var/run/freeradius"
}
main {
    name = "freeradius"
    prefix = "/usr"
    localstatedir = "/var"
    sbindir = "/usr/sbin"
    logdir = "/var/log/freeradius"
    run_dir = "/var/run/freeradius"
    libdir = "/usr/lib/freeradius"
    radacctdir = "/var/log/freeradius/radacct"
    hostname_lookups = no
    max_request_time = 30
    cleanup_delay = 5
    max_requests = 16384
    postauth_client_lost = no
    pidfile = "/var/run/freeradius/freeradius.pid"
    checkrad = "/usr/sbin/checkrad"
    debug_level = 0
    proxy_requests = yes
 log {
    stripped_names = no
    auth = no
    auth_badpass = no
    auth_goodpass = no
    colourise = yes
    msg_denied = "You are already logged in - access denied"
 }
 resources {
 }
 security {
    max_attributes = 200
    reject_delay = 1.000000
    status_server = yes
 }
}
radiusd: #### Loading Realms and Home Servers ####
 proxy server {
    retry_delay = 5
    retry_count = 3
    default_fallback = no
    dead_time = 120
    wake_all_if_all_dead = no
 }
 home_server localhost {
    ipaddr = 127.0.0.1
    port = 1812
    type = "auth"
    secret = <<< secret >>>
    response_window = 20.000000
    response_timeouts = 1
    max_outstanding = 65536
    zombie_period = 40
    status_check = "status-server"
    ping_interval = 30
    check_interval = 30
    check_timeout = 4
    num_answers_to_alive = 3
    revive_interval = 120
  limit {
    max_connections = 16
    max_requests = 0
    lifetime = 0
    idle_timeout = 0
  }
  coa {
    irt = 2
    mrt = 16
    mrc = 5
    mrd = 30
  }
  recv_coa {
  }
 }
 home_server_pool my_auth_failover {
    type = fail-over
    home_server = localhost
 }
 realm example.com {
    auth_pool = my_auth_failover
 }
 realm LOCAL {
 }
radiusd: #### Loading Clients ####
 client localhost {
    ipaddr = 127.0.0.1
    require_message_authenticator = no
    secret = <<< secret >>>
    nas_type = "other"
    proto = "*"
  limit {
    max_connections = 16
    lifetime = 0
    idle_timeout = 30
  }
 }
 client localhost_ipv6 {
    ipv6addr = ::1
    require_message_authenticator = no
    secret = <<< secret >>>
  limit {
    max_connections = 16
    lifetime = 0
    idle_timeout = 30
  }
 }
 client VL-OBE0-INT-LAN-legacy {
    ipaddr = 192.168.3.0/24
    require_message_authenticator = no
    secret = <<< secret >>>
  limit {
    max_connections = 16
    lifetime = 0
    idle_timeout = 30
  }
 }
 client VL-OBE0-INT-Management {
    ipaddr = 192.168.206.0/24
    require_message_authenticator = no
    secret = <<< secret >>>
  limit {
    max_connections = 16
    lifetime = 0
    idle_timeout = 30
  }
 }
Debugger not attached
systemd watchdog is disabled
 # Creating Auth-Type = mschap
 # Creating Auth-Type = digest
 # Creating Auth-Type = eap
 # Creating Auth-Type = PAP
 # Creating Auth-Type = CHAP
 # Creating Auth-Type = MS-CHAP
 # Creating Autz-Type = New-TLS-Connection
radiusd: #### Instantiating modules ####
 modules {
  # Loaded module rlm_unpack
  # Loading module "unpack" from file /etc/freeradius/mods-enabled/unpack
  # Loaded module rlm_preprocess
  # Loading module "preprocess" from file /etc/freeradius/mods-enabled/preprocess
  preprocess {
    huntgroups = "/etc/freeradius/mods-config/preprocess/huntgroups"
    hints = "/etc/freeradius/mods-config/preprocess/hints"
    with_ascend_hack = no
    ascend_channels_per_line = 23
    with_ntdomain_hack = no
    with_specialix_jetstream_hack = no
    with_cisco_vsa_hack = no
    with_alvarion_vsa_hack = no
  }
  # Loaded module rlm_exec
  # Loading module "ntlm_auth" from file /etc/freeradius/mods-enabled/ntlm_auth
  exec ntlm_auth {
    wait = yes
    program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
    shell_escape = yes
  }
  # Loaded module rlm_passwd
  # Loading module "etc_passwd" from file /etc/freeradius/mods-enabled/passwd
  passwd etc_passwd {
    filename = "/etc/passwd"
    format = "*User-Name:Crypt-Password:"
    delimiter = ":"
    ignore_nislike = no
    ignore_empty = yes
    allow_multiple_keys = no
    hash_size = 100
  }
  # Loaded module rlm_mschap
  # Loading module "mschap" from file /etc/freeradius/mods-enabled/mschap
  mschap {
    use_mppe = yes
    require_encryption = no
    require_strong = no
    with_ntdomain_hack = yes
   passchange {
   }
    allow_retry = yes
    winbind_retry_with_normalised_username = no
  }
  # Loaded module rlm_detail
  # Loading module "detail" from file /etc/freeradius/mods-enabled/detail
  detail {
    filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
    header = "%t"
    permissions = 384
    locking = no
    escape_filenames = no
    log_packet_header = no
  }
  # Loaded module rlm_linelog
  # Loading module "linelog" from file /etc/freeradius/mods-enabled/linelog
  linelog {
    filename = "/var/log/freeradius/linelog"
    escape_filenames = no
    syslog_severity = "info"
    permissions = 384
    format = "This is a log message for %{User-Name}"
    reference = "messages.%{%{reply:Packet-Type}:-default}"
  }
  # Loading module "log_accounting" from file /etc/freeradius/mods-enabled/linelog
  linelog log_accounting {
    filename = "/var/log/freeradius/linelog-accounting"
    escape_filenames = no
    syslog_severity = "info"
    permissions = 384
    format = ""
    reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
  }
  # Loaded module rlm_attr_filter
  # Loading module "attr_filter.post-proxy" from file /etc/freeradius/mods-enabled/attr_filter
  attr_filter attr_filter.post-proxy {
    filename = "/etc/freeradius/mods-config/attr_filter/post-proxy"
    key = "%{Realm}"
    relaxed = no
  }
  # Loading module "attr_filter.pre-proxy" from file /etc/freeradius/mods-enabled/attr_filter
  attr_filter attr_filter.pre-proxy {
    filename = "/etc/freeradius/mods-config/attr_filter/pre-proxy"
    key = "%{Realm}"
    relaxed = no
  }
  # Loading module "attr_filter.access_reject" from file /etc/freeradius/mods-enabled/attr_filter
  attr_filter attr_filter.access_reject {
    filename = "/etc/freeradius/mods-config/attr_filter/access_reject"
    key = "%{User-Name}"
    relaxed = no
  }
  # Loading module "attr_filter.access_challenge" from file /etc/freeradius/mods-enabled/attr_filter
  attr_filter attr_filter.access_challenge {
    filename = "/etc/freeradius/mods-config/attr_filter/access_challenge"
    key = "%{User-Name}"
    relaxed = no
  }
  # Loading module "attr_filter.accounting_response" from file /etc/freeradius/mods-enabled/attr_filter
  attr_filter attr_filter.accounting_response {
    filename = "/etc/freeradius/mods-config/attr_filter/accounting_response"
    key = "%{User-Name}"
    relaxed = no
  }
  # Loading module "attr_filter.coa" from file /etc/freeradius/mods-enabled/attr_filter
  attr_filter attr_filter.coa {
    filename = "/etc/freeradius/mods-config/attr_filter/coa"
    key = "%{User-Name}"
    relaxed = no
  }
  # Loaded module rlm_expr
  # Loading module "expr" from file /etc/freeradius/mods-enabled/expr
  expr {
    safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
  }
  # Loaded module rlm_realm
  # Loading module "IPASS" from file /etc/freeradius/mods-enabled/realm
  realm IPASS {
    format = "prefix"
    delimiter = "/"
    ignore_default = no
    ignore_null = no
  }
  # Loading module "suffix" from file /etc/freeradius/mods-enabled/realm
  realm suffix {
    format = "suffix"
    delimiter = "@"
    ignore_default = no
    ignore_null = no
  }
  # Loading module "bangpath" from file /etc/freeradius/mods-enabled/realm
  realm bangpath {
    format = "prefix"
    delimiter = "!"
    ignore_default = no
    ignore_null = no
  }
  # Loading module "realmpercent" from file /etc/freeradius/mods-enabled/realm
  realm realmpercent {
    format = "suffix"
    delimiter = "%"
    ignore_default = no
    ignore_null = no
  }
  # Loading module "ntdomain" from file /etc/freeradius/mods-enabled/realm
  realm ntdomain {
    format = "prefix"
    delimiter = "\\"
    ignore_default = no
    ignore_null = no
  }
  # Loading module "exec" from file /etc/freeradius/mods-enabled/exec
  exec {
    wait = no
    input_pairs = "request"
    shell_escape = yes
    timeout = 10
  }
  # Loaded module rlm_soh
  # Loading module "soh" from file /etc/freeradius/mods-enabled/soh
  soh {
    dhcp = yes
  }
  # Loaded module rlm_unix
  # Loading module "unix" from file /etc/freeradius/mods-enabled/unix
  unix {
    radwtmp = "/var/log/freeradius/radwtmp"
  }
Creating attribute Unix-Group
  # Loading module "auth_log" from file /etc/freeradius/mods-enabled/detail.log
  detail auth_log {
    filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
    header = "%t"
    permissions = 384
    locking = no
    escape_filenames = no
    log_packet_header = no
  }
  # Loading module "reply_log" from file /etc/freeradius/mods-enabled/detail.log
  detail reply_log {
    filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
    header = "%t"
    permissions = 384
    locking = no
    escape_filenames = no
    log_packet_header = no
  }
  # Loading module "pre_proxy_log" from file /etc/freeradius/mods-enabled/detail.log
  detail pre_proxy_log {
    filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
    header = "%t"
    permissions = 384
    locking = no
    escape_filenames = no
    log_packet_header = no
  }
  # Loading module "post_proxy_log" from file /etc/freeradius/mods-enabled/detail.log
  detail post_proxy_log {
    filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
    header = "%t"
    permissions = 384
    locking = no
    escape_filenames = no
    log_packet_header = no
  }
  # Loaded module rlm_replicate
  # Loading module "replicate" from file /etc/freeradius/mods-enabled/replicate
  # Loaded module rlm_radutmp
  # Loading module "radutmp" from file /etc/freeradius/mods-enabled/radutmp
  radutmp {
    filename = "/var/log/freeradius/radutmp"
    username = "%{User-Name}"
    case_sensitive = yes
    check_with_nas = yes
    permissions = 384
    caller_id = yes
  }
  # Loaded module rlm_pap
  # Loading module "pap" from file /etc/freeradius/mods-enabled/pap
  pap {
    normalise = yes
  }
  # Loaded module rlm_always
  # Loading module "reject" from file /etc/freeradius/mods-enabled/always
  always reject {
    rcode = "reject"
    simulcount = 0
    mpp = no
  }
  # Loading module "fail" from file /etc/freeradius/mods-enabled/always
  always fail {
    rcode = "fail"
    simulcount = 0
    mpp = no
  }
  # Loading module "ok" from file /etc/freeradius/mods-enabled/always
  always ok {
    rcode = "ok"
    simulcount = 0
    mpp = no
  }
  # Loading module "handled" from file /etc/freeradius/mods-enabled/always
  always handled {
    rcode = "handled"
    simulcount = 0
    mpp = no
  }
  # Loading module "invalid" from file /etc/freeradius/mods-enabled/always
  always invalid {
    rcode = "invalid"
    simulcount = 0
    mpp = no
  }
  # Loading module "userlock" from file /etc/freeradius/mods-enabled/always
  always userlock {
    rcode = "userlock"
    simulcount = 0
    mpp = no
  }
  # Loading module "notfound" from file /etc/freeradius/mods-enabled/always
  always notfound {
    rcode = "notfound"
    simulcount = 0
    mpp = no
  }
  # Loading module "noop" from file /etc/freeradius/mods-enabled/always
  always noop {
    rcode = "noop"
    simulcount = 0
    mpp = no
  }
  # Loading module "updated" from file /etc/freeradius/mods-enabled/always
  always updated {
    rcode = "updated"
    simulcount = 0
    mpp = no
  }
  # Loaded module rlm_utf8
  # Loading module "utf8" from file /etc/freeradius/mods-enabled/utf8
  # Loaded module rlm_digest
  # Loading module "digest" from file /etc/freeradius/mods-enabled/digest
  # Loaded module rlm_dynamic_clients
  # Loading module "dynamic_clients" from file /etc/freeradius/mods-enabled/dynamic_clients
  # Loaded module rlm_files
  # Loading module "files" from file /etc/freeradius/mods-enabled/files
  files {
    filename = "/etc/freeradius/mods-config/files/authorize"
    acctusersfile = "/etc/freeradius/mods-config/files/accounting"
    preproxy_usersfile = "/etc/freeradius/mods-config/files/pre-proxy"
  }
  # Loaded module rlm_eap
  # Loading module "eap" from file /etc/freeradius/mods-enabled/eap
  eap {
    default_eap_type = "md5"
    timer_expire = 60
    ignore_unknown_eap_types = no
    cisco_accounting_username_bug = no
    max_sessions = 16384
  }
  # Loading module "sradutmp" from file /etc/freeradius/mods-enabled/sradutmp
  radutmp sradutmp {
    filename = "/var/log/freeradius/sradutmp"
    username = "%{User-Name}"
    case_sensitive = yes
    check_with_nas = yes
    permissions = 420
    caller_id = no
  }
  # Loaded module rlm_chap
  # Loading module "chap" from file /etc/freeradius/mods-enabled/chap
  # Loaded module rlm_totp
  # Loading module "totp" from file /etc/freeradius/mods-enabled/totp
  # Loading module "echo" from file /etc/freeradius/mods-enabled/echo
  exec echo {
    wait = yes
    program = "/bin/echo %{User-Name}"
    input_pairs = "request"
    output_pairs = "reply"
    shell_escape = yes
  }
  # Loaded module rlm_date
  # Loading module "date" from file /etc/freeradius/mods-enabled/date
  date {
    format = "%b %e %Y %H:%M:%S %Z"
    utc = no
  }
  # Loading module "wispr2date" from file /etc/freeradius/mods-enabled/date
  date wispr2date {
    format = "%Y-%m-%dT%H:%M:%S"
    utc = no
  }
  # Loaded module rlm_expiration
  # Loading module "expiration" from file /etc/freeradius/mods-enabled/expiration
  # Loaded module rlm_logintime
  # Loading module "logintime" from file /etc/freeradius/mods-enabled/logintime
  logintime {
    minimum_timeout = 60
  }
  instantiate {
  }
  # Instantiating module "preprocess" from file /etc/freeradius/mods-enabled/preprocess
reading pairlist file /etc/freeradius/mods-config/preprocess/huntgroups
reading pairlist file /etc/freeradius/mods-config/preprocess/hints
  # Instantiating module "etc_passwd" from file /etc/freeradius/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
  # Instantiating module "mschap" from file /etc/freeradius/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
  # Instantiating module "detail" from file /etc/freeradius/mods-enabled/detail
  # Instantiating module "linelog" from file /etc/freeradius/mods-enabled/linelog
  # Instantiating module "log_accounting" from file /etc/freeradius/mods-enabled/linelog
  # Instantiating module "attr_filter.post-proxy" from file /etc/freeradius/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/mods-config/attr_filter/post-proxy
  # Instantiating module "attr_filter.pre-proxy" from file /etc/freeradius/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/mods-config/attr_filter/pre-proxy
  # Instantiating module "attr_filter.access_reject" from file /etc/freeradius/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/mods-config/attr_filter/access_reject
  # Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/mods-config/attr_filter/access_challenge
  # Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/mods-config/attr_filter/accounting_response
  # Instantiating module "attr_filter.coa" from file /etc/freeradius/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/mods-config/attr_filter/coa
  # Instantiating module "IPASS" from file /etc/freeradius/mods-enabled/realm
  # Instantiating module "suffix" from file /etc/freeradius/mods-enabled/realm
  # Instantiating module "bangpath" from file /etc/freeradius/mods-enabled/realm
  # Instantiating module "realmpercent" from file /etc/freeradius/mods-enabled/realm
  # Instantiating module "ntdomain" from file /etc/freeradius/mods-enabled/realm
  # Instantiating module "auth_log" from file /etc/freeradius/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
  # Instantiating module "reply_log" from file /etc/freeradius/mods-enabled/detail.log
  # Instantiating module "pre_proxy_log" from file /etc/freeradius/mods-enabled/detail.log
  # Instantiating module "post_proxy_log" from file /etc/freeradius/mods-enabled/detail.log
  # Instantiating module "pap" from file /etc/freeradius/mods-enabled/pap
  # Instantiating module "reject" from file /etc/freeradius/mods-enabled/always
  # Instantiating module "fail" from file /etc/freeradius/mods-enabled/always
  # Instantiating module "ok" from file /etc/freeradius/mods-enabled/always
  # Instantiating module "handled" from file /etc/freeradius/mods-enabled/always
  # Instantiating module "invalid" from file /etc/freeradius/mods-enabled/always
  # Instantiating module "userlock" from file /etc/freeradius/mods-enabled/always
  # Instantiating module "notfound" from file /etc/freeradius/mods-enabled/always
  # Instantiating module "noop" from file /etc/freeradius/mods-enabled/always
  # Instantiating module "updated" from file /etc/freeradius/mods-enabled/always
  # Instantiating module "files" from file /etc/freeradius/mods-enabled/files
reading pairlist file /etc/freeradius/mods-config/files/authorize
reading pairlist file /etc/freeradius/mods-config/files/accounting
reading pairlist file /etc/freeradius/mods-config/files/pre-proxy
  # Instantiating module "eap" from file /etc/freeradius/mods-enabled/eap
   # Linked to sub-module rlm_eap_md5
   # Linked to sub-module rlm_eap_gtc
   gtc {
    challenge = "Password: "
    auth_type = "PAP"
   }
   # Linked to sub-module rlm_eap_tls
   tls {
    tls = "tls-common"
   }
   tls-config tls-common {
    verify_depth = 0
    ca_path = "/etc/freeradius/certs"
    pem_file_type = yes
    private_key_file = "/etc/freeradius/certs/server.key"
    certificate_file = "/etc/freeradius/certs/server.pem"
    ca_file = "/etc/freeradius/certs/fullchain.pem"
    fragment_size = 1024
    include_length = yes
    auto_chain = yes
    check_crl = no
    check_all_crl = no
    ca_path_reload_interval = 0
    cipher_list = "DEFAULT"
    cipher_server_preference = no
    reject_unknown_intermediate_ca = no
    ecdh_curve = "secp384r1"
    tls_max_version = "1.2"
    tls_min_version = "1.2"
    cache {
        enable = no
        lifetime = 24
        max_entries = 255
    }
    verify {
        skip_if_ocsp_ok = no
    }
    ocsp {
        enable = no
        override_cert_url = yes
        url = "http://127.0.0.1/ocsp/"
        use_nonce = yes
        timeout = 0
        softfail = no
    }
   }
   # Linked to sub-module rlm_eap_ttls
   ttls {
    tls = "tls-common"
    default_eap_type = "md5"
    copy_request_to_tunnel = no
    use_tunneled_reply = no
    virtual_server = "inner-tunnel"
    include_length = yes
    require_client_cert = no
   }
tls: Using cached TLS configuration from previous invocation
   # Linked to sub-module rlm_eap_peap
   peap {
    tls = "tls-common"
    default_eap_type = "mschapv2"
    copy_request_to_tunnel = no
    use_tunneled_reply = no
    proxy_tunneled_request_as_eap = yes
    virtual_server = "inner-tunnel"
    soh = no
    require_client_cert = no
   }
tls: Using cached TLS configuration from previous invocation
   # Linked to sub-module rlm_eap_mschapv2
   mschapv2 {
    with_ntdomain_hack = no
    send_error = no
   }
  # Instantiating module "expiration" from file /etc/freeradius/mods-enabled/expiration
  # Instantiating module "logintime" from file /etc/freeradius/mods-enabled/logintime
 } # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/radiusd.conf
} # server
server default { # from file /etc/freeradius/sites-enabled/default
 # Loading authenticate {...}
Compiling Auth-Type PAP for attr Auth-Type
Compiling Auth-Type CHAP for attr Auth-Type
Compiling Auth-Type MS-CHAP for attr Auth-Type
 # Loading authorize {...}
Ignoring "sql" (see raddb/mods-available/README.rst)
Ignoring "ldap" (see raddb/mods-available/README.rst)
Compiling Autz-Type New-TLS-Connection for attr Autz-Type
 # Loading preacct {...}
 # Loading accounting {...}
 # Loading post-proxy {...}
 # Loading post-auth {...}
Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
Compiling Post-Auth-Type Challenge for attr Post-Auth-Type
Compiling Post-Auth-Type Client-Lost for attr Post-Auth-Type
} # server default
server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel
 # Loading authenticate {...}
Compiling Auth-Type PAP for attr Auth-Type
Compiling Auth-Type CHAP for attr Auth-Type
Compiling Auth-Type MS-CHAP for attr Auth-Type
 # Loading authorize {...}
 # Loading session {...}
 # Loading post-proxy {...}
 # Loading post-auth {...}
 # Skipping contents of 'if' as it is always 'false' -- /etc/freeradius/sites-enabled/inner-tunnel:336
Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
} # server inner-tunnel
radiusd: #### Opening IP addresses and Ports ####
listen {
    type = "auth"
    ipaddr = *
    port = 0
   limit {
    max_connections = 16
    lifetime = 0
    idle_timeout = 30
   }
}
listen {
    type = "acct"
    ipaddr = *
    port = 0
   limit {
    max_connections = 16
    lifetime = 0
    idle_timeout = 30
   }
}
listen {
    type = "auth"
    ipv6addr = ::
    port = 0
   limit {
    max_connections = 16
    lifetime = 0
    idle_timeout = 30
   }
}
listen {
    type = "acct"
    ipv6addr = ::
    port = 0
   limit {
    max_connections = 16
    lifetime = 0
    idle_timeout = 30
   }
}
listen {
    type = "auth"
    ipaddr = 127.0.0.1
    port = 18120
}
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on proxy address * port 44500
Listening on proxy address :: port 60217
Ready to process requests
(0) Received Access-Request Id 129 from 192.168.3.2:38468 to 192.168.20.91:1812 length 238
(0)   User-Name = "daniel.niewerth"
(0)   NAS-IP-Address = 192.168.3.2
(0)   NAS-Identifier = "fa9fc2f59ae7"
(0)   Called-Station-Id = "FA-9F-C2-F5-9A-E7:AS34936"
(0)   NAS-Port-Type = Wireless-802.11
(0)   Service-Type = Framed-User
(0)   Calling-Station-Id = "26-0A-BD-F9-BD-39"
(0)   Connect-Info = "CONNECT 0Mbps 802.11b"
(0)   Acct-Session-Id = "30FCC6EBD7FA1BD1"
(0)   Acct-Multi-Session-Id = "15CE55CBE155D4C0"
(0)   WLAN-Pairwise-Cipher = 1027076
(0)   WLAN-Group-Cipher = 1027076
(0)   WLAN-AKM-Suite = 1027073
(0)   Framed-MTU = 1400
(0)   EAP-Message = 0x028b00140164616e69656c2e6e69657765727468
(0)   Message-Authenticator = 0x0912f4c300b30133bb4575cc581bc72e
(0) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0)     [chap] = noop
(0)     [mschap] = noop
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "daniel.niewerth", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 139 length 20
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0)     [eap] = ok
(0)   } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0)   authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_md5 to process data
(0) eap_md5: Issuing MD5 Challenge
(0) eap: Sending EAP Request (code 1) ID 140 length 22
(0) eap: EAP session adding &reply:State = 0x533d5e9353b15a80
(0)     [eap] = handled
(0)   } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0)   Challenge { ... } # empty sub-section is ignored
(0) Sent Access-Challenge Id 129 from 192.168.20.91:1812 to 192.168.3.2:38468 length 80
(0)   EAP-Message = 0x018c001604102b990c86aca57bec0681f3e7f2669b4c
(0)   Message-Authenticator = 0x00000000000000000000000000000000
(0)   State = 0x533d5e9353b15a80f002d3e3df3a8c9a
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 130 from 192.168.3.2:38468 to 192.168.20.91:1812 length 242
(1)   User-Name = "daniel.niewerth"
(1)   NAS-IP-Address = 192.168.3.2
(1)   NAS-Identifier = "fa9fc2f59ae7"
(1)   Called-Station-Id = "FA-9F-C2-F5-9A-E7:AS34936"
(1)   NAS-Port-Type = Wireless-802.11
(1)   Service-Type = Framed-User
(1)   Calling-Station-Id = "26-0A-BD-F9-BD-39"
(1)   Connect-Info = "CONNECT 0Mbps 802.11b"
(1)   Acct-Session-Id = "30FCC6EBD7FA1BD1"
(1)   Acct-Multi-Session-Id = "15CE55CBE155D4C0"
(1)   WLAN-Pairwise-Cipher = 1027076
(1)   WLAN-Group-Cipher = 1027076
(1)   WLAN-AKM-Suite = 1027073
(1)   Framed-MTU = 1400
(1)   EAP-Message = 0x028c0006030d
(1)   State = 0x533d5e9353b15a80f002d3e3df3a8c9a
(1)   Message-Authenticator = 0x8990de694f0616ea1b1c28f41f822ced
(1) session-state: No cached attributes
(1) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(1)   authorize {
(1)     policy filter_username {
(1)       if (&User-Name) {
(1)       if (&User-Name)  -> TRUE
(1)       if (&User-Name)  {
(1)         if (&User-Name =~ / /) {
(1)         if (&User-Name =~ / /)  -> FALSE
(1)         if (&User-Name =~ /@[^@]*@/ ) {
(1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(1)         if (&User-Name =~ /\.\./ ) {
(1)         if (&User-Name =~ /\.\./ )  -> FALSE
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(1)         if (&User-Name =~ /\.$/)  {
(1)         if (&User-Name =~ /\.$/)   -> FALSE
(1)         if (&User-Name =~ /@\./)  {
(1)         if (&User-Name =~ /@\./)   -> FALSE
(1)       } # if (&User-Name)  = notfound
(1)     } # policy filter_username = notfound
(1)     [preprocess] = ok
(1)     [chap] = noop
(1)     [mschap] = noop
(1)     [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "daniel.niewerth", looking up realm NULL
(1) suffix: No such realm "NULL"
(1)     [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 140 length 6
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1)     [eap] = updated
(1) files: users: Matched entry daniel.niewerth at line 207
(1)     [files] = ok
(1)     [expiration] = noop
(1)     [logintime] = noop
Not doing PAP as Auth-Type is already set.
(1)     [pap] = noop
(1)   } # authorize = updated
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/freeradius/sites-enabled/default
(1)   authenticate {
(1) eap: Expiring EAP session with state 0x533d5e9353b15a80
(1) eap: Finished EAP session with state 0x533d5e9353b15a80
(1) eap: Previous EAP request found for state 0x533d5e9353b15a80, released from the list
(1) eap: Peer sent packet with method EAP NAK (3)
(1) eap: Found mutually acceptable type TLS (13)
(1) eap: Calling submodule eap_tls to process data
(1) eap_tls: (TLS) Initiating new session
(1) eap_tls: (TLS) Setting verify mode to require certificate from client
(1) eap: Sending EAP Request (code 1) ID 141 length 6
(1) eap: EAP session adding &reply:State = 0x533d5e9352b05380
(1)     [eap] = handled
(1)   } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file /etc/freeradius/sites-enabled/default
(1)   Challenge { ... } # empty sub-section is ignored
(1) session-state: Saving cached attributes
(1)   Framed-MTU = 994
(1) Sent Access-Challenge Id 130 from 192.168.20.91:1812 to 192.168.3.2:38468 length 80
(1)   Tunnel-Type = VLAN
(1)   Tunnel-Medium-Type = IEEE-802
(1)   Tunnel-Private-Group-Id = "12"
(1)   EAP-Message = 0x018d00060d20
(1)   Message-Authenticator = 0x00000000000000000000000000000000
(1)   State = 0x533d5e9352b05380f002d3e3df3a8c9a
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 131 from 192.168.3.2:38468 to 192.168.20.91:1812 length 397
(2)   User-Name = "daniel.niewerth"
(2)   NAS-IP-Address = 192.168.3.2
(2)   NAS-Identifier = "fa9fc2f59ae7"
(2)   Called-Station-Id = "FA-9F-C2-F5-9A-E7:AS34936"
(2)   NAS-Port-Type = Wireless-802.11
(2)   Service-Type = Framed-User
(2)   Calling-Station-Id = "26-0A-BD-F9-BD-39"
(2)   Connect-Info = "CONNECT 0Mbps 802.11b"
(2)   Acct-Session-Id = "30FCC6EBD7FA1BD1"
(2)   Acct-Multi-Session-Id = "15CE55CBE155D4C0"
(2)   WLAN-Pairwise-Cipher = 1027076
(2)   WLAN-Group-Cipher = 1027076
(2)   WLAN-AKM-Suite = 1027073
(2)   Framed-MTU = 1400
(2)   EAP-Message = 0x028d00a10d800000009716030100920100008e030363ac6c8828f8c6f7b6bc0ad6d0061e892f86617d2dad662ecd6b2cff76cbb58800002c00ffc02cc02bc024c023c00ac009c008c030c02fc028c027c014c013c012009d009c003d003c0035002f000a01000039000a00080006001700180019000b00020100000d00120010040102010501060104030203050306030005000501000000000012000000170000
(2)   State = 0x533d5e9352b05380f002d3e3df3a8c9a
(2)   Message-Authenticator = 0xca56f50079079a2e9c64a2a02bd733b6
(2) Restoring &session-state
(2)   &session-state:Framed-MTU = 994
(2) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(2)   authorize {
(2)     policy filter_username {
(2)       if (&User-Name) {
(2)       if (&User-Name)  -> TRUE
(2)       if (&User-Name)  {
(2)         if (&User-Name =~ / /) {
(2)         if (&User-Name =~ / /)  -> FALSE
(2)         if (&User-Name =~ /@[^@]*@/ ) {
(2)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(2)         if (&User-Name =~ /\.\./ ) {
(2)         if (&User-Name =~ /\.\./ )  -> FALSE
(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(2)         if (&User-Name =~ /\.$/)  {
(2)         if (&User-Name =~ /\.$/)   -> FALSE
(2)         if (&User-Name =~ /@\./)  {
(2)         if (&User-Name =~ /@\./)   -> FALSE
(2)       } # if (&User-Name)  = notfound
(2)     } # policy filter_username = notfound
(2)     [preprocess] = ok
(2)     [chap] = noop
(2)     [mschap] = noop
(2)     [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "daniel.niewerth", looking up realm NULL
(2) suffix: No such realm "NULL"
(2)     [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 141 length 161
(2) eap: No EAP Start, assuming it's an on-going EAP conversation
(2)     [eap] = updated
(2) files: users: Matched entry daniel.niewerth at line 207
(2)     [files] = ok
(2)     [expiration] = noop
(2)     [logintime] = noop
(2)     [pap] = noop
(2)   } # authorize = updated
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/freeradius/sites-enabled/default
(2)   authenticate {
(2) eap: Expiring EAP session with state 0x533d5e9352b05380
(2) eap: Finished EAP session with state 0x533d5e9352b05380
(2) eap: Previous EAP request found for state 0x533d5e9352b05380, released from the list
(2) eap: Peer sent packet with method EAP TLS (13)
(2) eap: Calling submodule eap_tls to process data
(2) eap_tls: (TLS) EAP Peer says that the final record size will be 151 bytes
(2) eap_tls: (TLS) EAP Got all data (151 bytes)
(2) eap_tls: (TLS) Handshake state - before SSL initialization
(2) eap_tls: (TLS) Handshake state - Server before SSL initialization
(2) eap_tls: (TLS) Handshake state - Server before SSL initialization
(2) eap_tls: (TLS) recv TLS 1.3 Handshake, ClientHello
(2) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read client hello
(2) eap_tls: (TLS) send TLS 1.2 Handshake, ServerHello
(2) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write server hello
(2) eap_tls: (TLS) send TLS 1.2 Handshake, Certificate
(2) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write certificate
(2) eap_tls: (TLS) send TLS 1.2 Handshake, ServerKeyExchange
(2) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write key exchange
(2) eap_tls: (TLS) send TLS 1.2 Handshake, CertificateRequest
(2) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write certificate request
(2) eap_tls: (TLS) send TLS 1.2 Handshake, ServerHelloDone
(2) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write server done
(2) eap_tls: (TLS) Server : Need to read more data: SSLv3/TLS write server done
(2) eap_tls: (TLS) In Handshake Phase
(2) eap: Sending EAP Request (code 1) ID 142 length 1004
(2) eap: EAP session adding &reply:State = 0x533d5e9351b35380
(2)     [eap] = handled
(2)   } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /etc/freeradius/sites-enabled/default
(2)   Challenge { ... } # empty sub-section is ignored
(2) session-state: Saving cached attributes
(2)   Framed-MTU = 994
(2)   TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(2)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(2)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(2)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(2)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest"
(2)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(2) Sent Access-Challenge Id 131 from 192.168.20.91:1812 to 192.168.3.2:38468 length 1084
(2)   Tunnel-Type = VLAN
(2)   Tunnel-Medium-Type = IEEE-802
(2)   Tunnel-Private-Group-Id = "12"
(2)   EAP-Message = 0x018e03ec0dc000001301160303003d020000390303bea1826496fd0aab71e0285a5aa06775569e54d15ec42cc6da35a377220cca5c00c02c000011ff01000100000b0004030001020017000016030310630b00105f00105c00030d308203093082028ea0030201020214267bddb6183d47bbe3ca532716a4e5262ba14cbf300a06082a8648ce3d04030230633120301e06035504030c17415333343933362045434320497373756520434120583131143012060355040a0c0b415333343933362e6e6574311c301a06035504080c134e6f7264726865696e2d5765737466616c656e310b3009060355040613024445301e170d3232313232373230343233355a170d3234313232363230343233345a3081dd311c301a06092a864886f70d0109080c0d3139322e3136382e32302e39313135303306092a864886f70d0109020c26767372762d647573362d72616430312e7072642e6475732e64652e617333343933362e6e6574312f302d06035504030c26767372762d
(2)   Message-Authenticator = 0x00000000000000000000000000000000
(2)   State = 0x533d5e9351b35380f002d3e3df3a8c9a
(2) Finished request
Waking up in 4.8 seconds.
(3) Received Access-Request Id 132 from 192.168.3.2:38468 to 192.168.20.91:1812 length 242
(3)   User-Name = "daniel.niewerth"
(3)   NAS-IP-Address = 192.168.3.2
(3)   NAS-Identifier = "fa9fc2f59ae7"
(3)   Called-Station-Id = "FA-9F-C2-F5-9A-E7:AS34936"
(3)   NAS-Port-Type = Wireless-802.11
(3)   Service-Type = Framed-User
(3)   Calling-Station-Id = "26-0A-BD-F9-BD-39"
(3)   Connect-Info = "CONNECT 0Mbps 802.11b"
(3)   Acct-Session-Id = "30FCC6EBD7FA1BD1"
(3)   Acct-Multi-Session-Id = "15CE55CBE155D4C0"
(3)   WLAN-Pairwise-Cipher = 1027076
(3)   WLAN-Group-Cipher = 1027076
(3)   WLAN-AKM-Suite = 1027073
(3)   Framed-MTU = 1400
(3)   EAP-Message = 0x028e00060d00
(3)   State = 0x533d5e9351b35380f002d3e3df3a8c9a
(3)   Message-Authenticator = 0x5997bb3945aa7d9cf8183ef37214c673
(3) Restoring &session-state
(3)   &session-state:Framed-MTU = 994
(3)   &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(3)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(3)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(3)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(3)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest"
(3)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(3) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(3)   authorize {
(3)     policy filter_username {
(3)       if (&User-Name) {
(3)       if (&User-Name)  -> TRUE
(3)       if (&User-Name)  {
(3)         if (&User-Name =~ / /) {
(3)         if (&User-Name =~ / /)  -> FALSE
(3)         if (&User-Name =~ /@[^@]*@/ ) {
(3)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(3)         if (&User-Name =~ /\.\./ ) {
(3)         if (&User-Name =~ /\.\./ )  -> FALSE
(3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(3)         if (&User-Name =~ /\.$/)  {
(3)         if (&User-Name =~ /\.$/)   -> FALSE
(3)         if (&User-Name =~ /@\./)  {
(3)         if (&User-Name =~ /@\./)   -> FALSE
(3)       } # if (&User-Name)  = notfound
(3)     } # policy filter_username = notfound
(3)     [preprocess] = ok
(3)     [chap] = noop
(3)     [mschap] = noop
(3)     [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "daniel.niewerth", looking up realm NULL
(3) suffix: No such realm "NULL"
(3)     [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 142 length 6
(3) eap: No EAP Start, assuming it's an on-going EAP conversation
(3)     [eap] = updated
(3) files: users: Matched entry daniel.niewerth at line 207
(3)     [files] = ok
(3)     [expiration] = noop
(3)     [logintime] = noop
(3)     [pap] = noop
(3)   } # authorize = updated
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/freeradius/sites-enabled/default
(3)   authenticate {
(3) eap: Expiring EAP session with state 0x533d5e9351b35380
(3) eap: Finished EAP session with state 0x533d5e9351b35380
(3) eap: Previous EAP request found for state 0x533d5e9351b35380, released from the list
(3) eap: Peer sent packet with method EAP TLS (13)
(3) eap: Calling submodule eap_tls to process data
(3) eap_tls: (TLS) Peer ACKed our handshake fragment
(3) eap: Sending EAP Request (code 1) ID 143 length 1004
(3) eap: EAP session adding &reply:State = 0x533d5e9350b25380
(3)     [eap] = handled
(3)   } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) # Executing group from file /etc/freeradius/sites-enabled/default
(3)   Challenge { ... } # empty sub-section is ignored
(3) session-state: Saving cached attributes
(3)   Framed-MTU = 994
(3)   TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(3)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(3)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(3)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(3)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest"
(3)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(3) Sent Access-Challenge Id 132 from 192.168.20.91:1812 to 192.168.3.2:38468 length 1084
(3)   Tunnel-Type = VLAN
(3)   Tunnel-Medium-Type = IEEE-802
(3)   Tunnel-Private-Group-Id = "12"
(3)   EAP-Message = 0x018f03ec0dc00000130165696e2d5765737466616c656e310b3009060355040613024445301e170d3232313232353139343935335a170d3237313232343139343935325a30633120301e06035504030c17415333343933362045434320497373756520434120583131143012060355040a0c0b415333343933362e6e6574311c301a06035504080c134e6f7264726865696e2d5765737466616c656e310b30090603550406130244453076301006072a8648ce3d020106052b8104002203620004c5e19be88e22a34f8bbbf300b4f2bb62d7f6374faf0bed316dc821305c918bad130c40ea0e44020b6b9f52cda519c8888e5729d00f3df059827209d1fcd728c816867279ee27c741c8401c3e6c4dc6318b791a8ced92cf97da999a82c340a6bda38202a33082029f300f0603551d130101ff040530030101ff301f0603551d230418301680143cb810f22b53a270cc8887f5182e9d46088c5487304f06082b0601050507010104433041303f06082b06010505073001
(3)   Message-Authenticator = 0x00000000000000000000000000000000
(3)   State = 0x533d5e9350b25380f002d3e3df3a8c9a
(3) Finished request
Waking up in 4.8 seconds.
(4) Received Access-Request Id 133 from 192.168.3.2:38468 to 192.168.20.91:1812 length 242
(4)   User-Name = "daniel.niewerth"
(4)   NAS-IP-Address = 192.168.3.2
(4)   NAS-Identifier = "fa9fc2f59ae7"
(4)   Called-Station-Id = "FA-9F-C2-F5-9A-E7:AS34936"
(4)   NAS-Port-Type = Wireless-802.11
(4)   Service-Type = Framed-User
(4)   Calling-Station-Id = "26-0A-BD-F9-BD-39"
(4)   Connect-Info = "CONNECT 0Mbps 802.11b"
(4)   Acct-Session-Id = "30FCC6EBD7FA1BD1"
(4)   Acct-Multi-Session-Id = "15CE55CBE155D4C0"
(4)   WLAN-Pairwise-Cipher = 1027076
(4)   WLAN-Group-Cipher = 1027076
(4)   WLAN-AKM-Suite = 1027073
(4)   Framed-MTU = 1400
(4)   EAP-Message = 0x028f00060d00
(4)   State = 0x533d5e9350b25380f002d3e3df3a8c9a
(4)   Message-Authenticator = 0x7367fa6d6e7cdf4891edc32c09369145
(4) Restoring &session-state
(4)   &session-state:Framed-MTU = 994
(4)   &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(4)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(4)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(4)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(4)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest"
(4)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(4) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(4)   authorize {
(4)     policy filter_username {
(4)       if (&User-Name) {
(4)       if (&User-Name)  -> TRUE
(4)       if (&User-Name)  {
(4)         if (&User-Name =~ / /) {
(4)         if (&User-Name =~ / /)  -> FALSE
(4)         if (&User-Name =~ /@[^@]*@/ ) {
(4)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(4)         if (&User-Name =~ /\.\./ ) {
(4)         if (&User-Name =~ /\.\./ )  -> FALSE
(4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(4)         if (&User-Name =~ /\.$/)  {
(4)         if (&User-Name =~ /\.$/)   -> FALSE
(4)         if (&User-Name =~ /@\./)  {
(4)         if (&User-Name =~ /@\./)   -> FALSE
(4)       } # if (&User-Name)  = notfound
(4)     } # policy filter_username = notfound
(4)     [preprocess] = ok
(4)     [chap] = noop
(4)     [mschap] = noop
(4)     [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "daniel.niewerth", looking up realm NULL
(4) suffix: No such realm "NULL"
(4)     [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 143 length 6
(4) eap: No EAP Start, assuming it's an on-going EAP conversation
(4)     [eap] = updated
(4) files: users: Matched entry daniel.niewerth at line 207
(4)     [files] = ok
(4)     [expiration] = noop
(4)     [logintime] = noop
(4)     [pap] = noop
(4)   } # authorize = updated
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/freeradius/sites-enabled/default
(4)   authenticate {
(4) eap: Expiring EAP session with state 0x533d5e9350b25380
(4) eap: Finished EAP session with state 0x533d5e9350b25380
(4) eap: Previous EAP request found for state 0x533d5e9350b25380, released from the list
(4) eap: Peer sent packet with method EAP TLS (13)
(4) eap: Calling submodule eap_tls to process data
(4) eap_tls: (TLS) Peer ACKed our handshake fragment
(4) eap: Sending EAP Request (code 1) ID 144 length 1004
(4) eap: EAP session adding &reply:State = 0x533d5e9357ad5380
(4)     [eap] = handled
(4)   } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) # Executing group from file /etc/freeradius/sites-enabled/default
(4)   Challenge { ... } # empty sub-section is ignored
(4) session-state: Saving cached attributes
(4)   Framed-MTU = 994
(4)   TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(4)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(4)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(4)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(4)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest"
(4)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(4) Sent Access-Challenge Id 133 from 192.168.20.91:1812 to 192.168.3.2:38468 length 1084
(4)   Tunnel-Type = VLAN
(4)   Tunnel-Medium-Type = IEEE-802
(4)   Tunnel-Private-Group-Id = "12"
(4)   EAP-Message = 0x019003ec0dc000001301121d45c14900d6d5fa21b4fad194b1779ca2b35e02ae74fa101915dc131f86023100ae3421759119ce02dd265d9d783c409730af3cc843871b7b350096553c9c91950f0f2662e658adcd5386e62f0442048500044b30820447308203cda00302010202146d9693e7790784d0b18d769b31500ec42131b400300a06082a8648ce3d0403023062311f301d06035504030c16415333343933362045434320526f6f7420434120583131143012060355040a0c0b415333343933362e6e6574311c301a06035504080c134e6f7264726865696e2d5765737466616c656e310b3009060355040613024445301e170d3232313232353139343033395a170d3332313232323139343033385a306a3127302506035504030c1e415333343933362045434320496e7465726d65646961746520434120583131143012060355040a0c0b415333343933362e6e6574311c301a06035504080c134e6f7264726865696e2d5765737466616c656e310b30090603
(4)   Message-Authenticator = 0x00000000000000000000000000000000
(4)   State = 0x533d5e9357ad5380f002d3e3df3a8c9a
(4) Finished request
Waking up in 4.7 seconds.
(5) Received Access-Request Id 134 from 192.168.3.2:38468 to 192.168.20.91:1812 length 242
(5)   User-Name = "daniel.niewerth"
(5)   NAS-IP-Address = 192.168.3.2
(5)   NAS-Identifier = "fa9fc2f59ae7"
(5)   Called-Station-Id = "FA-9F-C2-F5-9A-E7:AS34936"
(5)   NAS-Port-Type = Wireless-802.11
(5)   Service-Type = Framed-User
(5)   Calling-Station-Id = "26-0A-BD-F9-BD-39"
(5)   Connect-Info = "CONNECT 0Mbps 802.11b"
(5)   Acct-Session-Id = "30FCC6EBD7FA1BD1"
(5)   Acct-Multi-Session-Id = "15CE55CBE155D4C0"
(5)   WLAN-Pairwise-Cipher = 1027076
(5)   WLAN-Group-Cipher = 1027076
(5)   WLAN-AKM-Suite = 1027073
(5)   Framed-MTU = 1400
(5)   EAP-Message = 0x029000060d00
(5)   State = 0x533d5e9357ad5380f002d3e3df3a8c9a
(5)   Message-Authenticator = 0xcff3ab3b3179a094e985bed6fac61e52
(5) Restoring &session-state
(5)   &session-state:Framed-MTU = 994
(5)   &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(5)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(5)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(5)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(5)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest"
(5)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(5) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(5)   authorize {
(5)     policy filter_username {
(5)       if (&User-Name) {
(5)       if (&User-Name)  -> TRUE
(5)       if (&User-Name)  {
(5)         if (&User-Name =~ / /) {
(5)         if (&User-Name =~ / /)  -> FALSE
(5)         if (&User-Name =~ /@[^@]*@/ ) {
(5)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(5)         if (&User-Name =~ /\.\./ ) {
(5)         if (&User-Name =~ /\.\./ )  -> FALSE
(5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(5)         if (&User-Name =~ /\.$/)  {
(5)         if (&User-Name =~ /\.$/)   -> FALSE
(5)         if (&User-Name =~ /@\./)  {
(5)         if (&User-Name =~ /@\./)   -> FALSE
(5)       } # if (&User-Name)  = notfound
(5)     } # policy filter_username = notfound
(5)     [preprocess] = ok
(5)     [chap] = noop
(5)     [mschap] = noop
(5)     [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "daniel.niewerth", looking up realm NULL
(5) suffix: No such realm "NULL"
(5)     [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 144 length 6
(5) eap: No EAP Start, assuming it's an on-going EAP conversation
(5)     [eap] = updated
(5) files: users: Matched entry daniel.niewerth at line 207
(5)     [files] = ok
(5)     [expiration] = noop
(5)     [logintime] = noop
(5)     [pap] = noop
(5)   } # authorize = updated
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/freeradius/sites-enabled/default
(5)   authenticate {
(5) eap: Expiring EAP session with state 0x533d5e9357ad5380
(5) eap: Finished EAP session with state 0x533d5e9357ad5380
(5) eap: Previous EAP request found for state 0x533d5e9357ad5380, released from the list
(5) eap: Peer sent packet with method EAP TLS (13)
(5) eap: Calling submodule eap_tls to process data
(5) eap_tls: (TLS) Peer ACKed our handshake fragment
(5) eap: Sending EAP Request (code 1) ID 145 length 1004
(5) eap: EAP session adding &reply:State = 0x533d5e9356ac5380
(5)     [eap] = handled
(5)   } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) # Executing group from file /etc/freeradius/sites-enabled/default
(5)   Challenge { ... } # empty sub-section is ignored
(5) session-state: Saving cached attributes
(5)   Framed-MTU = 994
(5)   TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(5)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(5)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(5)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(5)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest"
(5)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(5) Sent Access-Challenge Id 134 from 192.168.20.91:1812 to 192.168.3.2:38468 length 1084
(5)   Tunnel-Type = VLAN
(5)   Tunnel-Medium-Type = IEEE-802
(5)   Tunnel-Private-Group-Id = "12"
(5)   EAP-Message = 0x019103ec0dc000001301696e2d5765737466616c656e310b3009060355040613024445301d0603551d0e041604143cb810f22b53a270cc8887f5182e9d46088c5487300e0603551d0f0101ff040403020186300a06082a8648ce3d0403020368003065023062564868059fa64a19162940b636a3099db4c74ea1979039d01e03b578403351121b9e8d69f5bcb8d39d5cd91bd3e8e9023100f0e6b3fa7502c262eeb77779cce6c4952d64d17058c22083999c346696174d631f3904b6d0e2b036232b2cef4495cb1e0004433082043f308203c5a00302010202142721b58c0ec977454067689d9bfb5160731fbe70300a06082a8648ce3d0403023062311f301d06035504030c16415333343933362045434320526f6f7420434120583131143012060355040a0c0b415333343933362e6e6574311c301a06035504080c134e6f7264726865696e2d5765737466616c656e310b3009060355040613024445301e170d3232313232353135333230375a170d343731323139
(5)   Message-Authenticator = 0x00000000000000000000000000000000
(5)   State = 0x533d5e9356ac5380f002d3e3df3a8c9a
(5) Finished request
Waking up in 4.7 seconds.
(6) Received Access-Request Id 135 from 192.168.3.2:38468 to 192.168.20.91:1812 length 242
(6)   User-Name = "daniel.niewerth"
(6)   NAS-IP-Address = 192.168.3.2
(6)   NAS-Identifier = "fa9fc2f59ae7"
(6)   Called-Station-Id = "FA-9F-C2-F5-9A-E7:AS34936"
(6)   NAS-Port-Type = Wireless-802.11
(6)   Service-Type = Framed-User
(6)   Calling-Station-Id = "26-0A-BD-F9-BD-39"
(6)   Connect-Info = "CONNECT 0Mbps 802.11b"
(6)   Acct-Session-Id = "30FCC6EBD7FA1BD1"
(6)   Acct-Multi-Session-Id = "15CE55CBE155D4C0"
(6)   WLAN-Pairwise-Cipher = 1027076
(6)   WLAN-Group-Cipher = 1027076
(6)   WLAN-AKM-Suite = 1027073
(6)   Framed-MTU = 1400
(6)   EAP-Message = 0x029100060d00
(6)   State = 0x533d5e9356ac5380f002d3e3df3a8c9a
(6)   Message-Authenticator = 0x180e33761673fc843149fdcb27879752
(6) Restoring &session-state
(6)   &session-state:Framed-MTU = 994
(6)   &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(6)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(6)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(6)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(6)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest"
(6)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(6) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(6)   authorize {
(6)     policy filter_username {
(6)       if (&User-Name) {
(6)       if (&User-Name)  -> TRUE
(6)       if (&User-Name)  {
(6)         if (&User-Name =~ / /) {
(6)         if (&User-Name =~ / /)  -> FALSE
(6)         if (&User-Name =~ /@[^@]*@/ ) {
(6)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(6)         if (&User-Name =~ /\.\./ ) {
(6)         if (&User-Name =~ /\.\./ )  -> FALSE
(6)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(6)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(6)         if (&User-Name =~ /\.$/)  {
(6)         if (&User-Name =~ /\.$/)   -> FALSE
(6)         if (&User-Name =~ /@\./)  {
(6)         if (&User-Name =~ /@\./)   -> FALSE
(6)       } # if (&User-Name)  = notfound
(6)     } # policy filter_username = notfound
(6)     [preprocess] = ok
(6)     [chap] = noop
(6)     [mschap] = noop
(6)     [digest] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "daniel.niewerth", looking up realm NULL
(6) suffix: No such realm "NULL"
(6)     [suffix] = noop
(6) eap: Peer sent EAP Response (code 2) ID 145 length 6
(6) eap: No EAP Start, assuming it's an on-going EAP conversation
(6)     [eap] = updated
(6) files: users: Matched entry daniel.niewerth at line 207
(6)     [files] = ok
(6)     [expiration] = noop
(6)     [logintime] = noop
(6)     [pap] = noop
(6)   } # authorize = updated
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/freeradius/sites-enabled/default
(6)   authenticate {
(6) eap: Expiring EAP session with state 0x533d5e9356ac5380
(6) eap: Finished EAP session with state 0x533d5e9356ac5380
(6) eap: Previous EAP request found for state 0x533d5e9356ac5380, released from the list
(6) eap: Peer sent packet with method EAP TLS (13)
(6) eap: Calling submodule eap_tls to process data
(6) eap_tls: (TLS) Peer ACKed our handshake fragment
(6) eap: Sending EAP Request (code 1) ID 146 length 899
(6) eap: EAP session adding &reply:State = 0x533d5e9355af5380
(6)     [eap] = handled
(6)   } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) # Executing group from file /etc/freeradius/sites-enabled/default
(6)   Challenge { ... } # empty sub-section is ignored
(6) session-state: Saving cached attributes
(6)   Framed-MTU = 994
(6)   TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(6)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(6)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(6)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(6)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest"
(6)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(6) Sent Access-Challenge Id 135 from 192.168.20.91:1812 to 192.168.3.2:38468 length 979
(6)   Tunnel-Type = VLAN
(6)   Tunnel-Medium-Type = IEEE-802
(6)   Tunnel-Private-Group-Id = "12"
(6)   EAP-Message = 0x019203830d8000001301696e2d5765737466616c656e253243432533444445a266a4643062311f301d06035504030c16415333343933362045434320526f6f7420434120583131143012060355040a0c0b415333343933362e6e6574311c301a06035504080c134e6f7264726865696e2d5765737466616c656e310b3009060355040613024445301d0603551d0e04160414ee40f58463599e9d3edeb2adeef95b253b70c61a300e0603551d0f0101ff040403020186300a06082a8648ce3d040302036800306502304d6fdf9a7ebdb0530b66964cda674d78d535aee37404075504a3bcc8c20d3ef77126736a306b017eb85098830254a4a2023100bd5027203964139850d847e23bc22a9a7f84b73d891eb1ac37f5e225ff98c8d67ec089b35ec6a44d87f38f5c440198f816030300d50c0000d1030018610498d62bcc77f21addc74bc99b2a5a145270f849a57f59c4ff16457f2a9d06e277b8b579710052c7d31c2bbfc32ee0e1450bb6c4b3584db3f9626aaca1dd
(6)   Message-Authenticator = 0x00000000000000000000000000000000
(6)   State = 0x533d5e9355af5380f002d3e3df3a8c9a
(6) Finished request
Waking up in 4.7 seconds.
(7) Received Access-Request Id 136 from 192.168.3.2:38468 to 192.168.20.91:1812 length 1208
(7)   User-Name = "daniel.niewerth"
(7)   NAS-IP-Address = 192.168.3.2
(7)   NAS-Identifier = "fa9fc2f59ae7"
(7)   Called-Station-Id = "FA-9F-C2-F5-9A-E7:AS34936"
(7)   NAS-Port-Type = Wireless-802.11
(7)   Service-Type = Framed-User
(7)   Calling-Station-Id = "26-0A-BD-F9-BD-39"
(7)   Connect-Info = "CONNECT 0Mbps 802.11b"
(7)   Acct-Session-Id = "30FCC6EBD7FA1BD1"
(7)   Acct-Multi-Session-Id = "15CE55CBE155D4C0"
(7)   WLAN-Pairwise-Cipher = 1027076
(7)   WLAN-Group-Cipher = 1027076
(7)   WLAN-AKM-Suite = 1027073
(7)   Framed-MTU = 1400
(7)   EAP-Message = 0x029203c60d80000003bc16030302a50b0002a100029e00029b308202973082021da003020102021413b821bfca7511be4b4ad55b885271d35221dbf5300a06082a8648ce3d04030230633120301e06035504030c17415333343933362045434320497373756520434120583131143012060355040a0c0b415333343933362e6e6574311c301a06035504080c134e6f7264726865696e2d5765737466616c656e310b3009060355040613024445301e170d3232313232373231343535365a170d3234313232363231343535355a30763118301606035504030c0f64616e69656c2e6e69657765727468310f300d060355042a0c0644616e69656c3111300f06035504040c084e6965776572746831143012060355040a0c0b415333343933362e6e65743113301106035504070c0a4f62657268617573656e310b30090603550406130244453076301006072a8648ce3d020106052b810400220362000400ce2b90551ab2a7569807cef677b8969f3afff8f2af5d0f5426
(7)   State = 0x533d5e9355af5380f002d3e3df3a8c9a
(7)   Message-Authenticator = 0x8a971ad08acabb5ff11a189c417828d3
(7) Restoring &session-state
(7)   &session-state:Framed-MTU = 994
(7)   &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(7)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(7)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(7)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(7)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest"
(7)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(7) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(7)   authorize {
(7)     policy filter_username {
(7)       if (&User-Name) {
(7)       if (&User-Name)  -> TRUE
(7)       if (&User-Name)  {
(7)         if (&User-Name =~ / /) {
(7)         if (&User-Name =~ / /)  -> FALSE
(7)         if (&User-Name =~ /@[^@]*@/ ) {
(7)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(7)         if (&User-Name =~ /\.\./ ) {
(7)         if (&User-Name =~ /\.\./ )  -> FALSE
(7)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(7)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(7)         if (&User-Name =~ /\.$/)  {
(7)         if (&User-Name =~ /\.$/)   -> FALSE
(7)         if (&User-Name =~ /@\./)  {
(7)         if (&User-Name =~ /@\./)   -> FALSE
(7)       } # if (&User-Name)  = notfound
(7)     } # policy filter_username = notfound
(7)     [preprocess] = ok
(7)     [chap] = noop
(7)     [mschap] = noop
(7)     [digest] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "daniel.niewerth", looking up realm NULL
(7) suffix: No such realm "NULL"
(7)     [suffix] = noop
(7) eap: Peer sent EAP Response (code 2) ID 146 length 966
(7) eap: No EAP Start, assuming it's an on-going EAP conversation
(7)     [eap] = updated
(7) files: users: Matched entry daniel.niewerth at line 207
(7)     [files] = ok
(7)     [expiration] = noop
(7)     [logintime] = noop
(7)     [pap] = noop
(7)   } # authorize = updated
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/freeradius/sites-enabled/default
(7)   authenticate {
(7) eap: Expiring EAP session with state 0x533d5e9355af5380
(7) eap: Finished EAP session with state 0x533d5e9355af5380
(7) eap: Previous EAP request found for state 0x533d5e9355af5380, released from the list
(7) eap: Peer sent packet with method EAP TLS (13)
(7) eap: Calling submodule eap_tls to process data
(7) eap_tls: (TLS) EAP Peer says that the final record size will be 956 bytes
(7) eap_tls: (TLS) EAP Got all data (956 bytes)
(7) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write server done
(7) eap_tls: (TLS) recv TLS 1.2 Handshake, Certificate
Segmentation fault (core dumped)
root@vsrv-dus6-rad01:~#

Relevant log output from client utilities

root@vsrv-dus6-rad01:~# tail -f /var/log/syslog 
Dec 28 16:19:20 vsrv-dus6-rad01 kernel: [191371.887730] freeradius[7245]: segfault at 2 ip 00007fe7245c39fa sp 00007ffc06966dd8 error 4 in libc.so.6[7fe724531000+195000]
Dec 28 16:19:20 vsrv-dus6-rad01 kernel: [191371.887779] Code: f3 0f 1e fa 66 0f ef c0 66 0f ef c9 66 0f ef d2 66 0f ef db 48 89 f8 48 89 f9 48 81 e1 ff 0f 00 00 48 81 f9 cf 0f 00 00 77 66 <f3> 0f 6f 20 66 0f 74 e0 66 0f d7 d4 85 d2 74 04 0f bc c2 c3 48 83
root@vsrv-dus6-rad01:~#

Backtrace from LLDB or GDB

No response

alandekok commented 1 year ago

Please provide a backtrace as documented in doc/bugs. We can't reproduce this here, so it's difficult to know what's going on in your system.

alandekok commented 1 year ago

Just to be clear: if we don't get a gdb back trace, we will close this bug in a few weeks as "unverified".

No one else is running into this issue. So it's either a very weird bug, or there's something broken on your system.

The only way for us to fix the bug is for you to provide a gdb back trace. So if you want the bug fixed, do that.

CryptoproctaX commented 1 year ago

According to the wiki, last night I built v3.2.1 with the "--enable-developer" flag from source to be able to generate the backtrace. I did this on the same system as the previous tests with the package versions.

In the config files of the build-from-source variant (in /usr/local/etc/raddb/) I made exactly the same changes as in the config files of the package variant (in /etc/freeradius) and used the same certificates.

I started the build-from-source variant (/usr/local/sbin/radiusd) and tested if the error happens there too. No, the error does not occur.

I then tested the package variant (/usr/sbin/freeradius) again as a cross check. here the error still occurs.

now it gets crazy:

I just wanted to try if I can create the gdb trace also with the package variant. I started freeradius under gdb and was surprised to see that the error does not occur. The authentication works.

Afterwards I did a cross check and started freeradius without gdb and everything is as before. the error occurs, the application is crashing.

root@vsrv-dus6-rad01:~# gdb freeradius
GNU gdb (Ubuntu 12.1-0ubuntu1~22.04) 12.1
Copyright (C) 2022 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from freeradius...
(No debugging symbols found in freeradius)
(gdb) run -xfl stdout
Starting program: /usr/sbin/freeradius -xfl stdout
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
FreeRADIUS Version 3.2.1
Copyright (C) 1999-2022 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
[Detaching after fork from child process 54318]
Starting - reading configuration files ...
Found debugger attached
systemd watchdog is disabled
Creating attribute Unix-Group
rlm_mschap (mschap): using internal authentication
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
tls: Using cached TLS configuration from previous invocation
tls: Using cached TLS configuration from previous invocation
Compiling Auth-Type PAP for attr Auth-Type
Compiling Auth-Type CHAP for attr Auth-Type
Compiling Auth-Type MS-CHAP for attr Auth-Type
Ignoring "sql" (see raddb/mods-available/README.rst)
Ignoring "ldap" (see raddb/mods-available/README.rst)
Compiling Autz-Type New-TLS-Connection for attr Autz-Type
Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
Compiling Post-Auth-Type Challenge for attr Post-Auth-Type
Compiling Post-Auth-Type Client-Lost for attr Post-Auth-Type
Compiling Auth-Type PAP for attr Auth-Type
Compiling Auth-Type CHAP for attr Auth-Type
Compiling Auth-Type MS-CHAP for attr Auth-Type
 # Skipping contents of 'if' as it is always 'false' -- /etc/freeradius/sites-enabled/inner-tunnel:336
Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
[New Thread 0x7ffff2a3b640 (LWP 54319)]
[New Thread 0x7ffff223a640 (LWP 54320)]
[New Thread 0x7ffff1a39640 (LWP 54321)]
[New Thread 0x7ffff1238640 (LWP 54322)]
[New Thread 0x7ffff0a37640 (LWP 54323)]
radiusd: #### Opening IP addresses and Ports ####
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on proxy address * port 42623
Listening on proxy address :: port 38677
Ready to process requests
Waking up in 0.3 seconds.
(0) Received Access-Request Id 29 from 192.168.3.12:43076 to 192.168.20.91:1812 length 238
(0)   User-Name = "daniel.niewerth"
(0)   NAS-IP-Address = 192.168.3.12
(0)   NAS-Identifier = "fa9fc2f59ae7"
(0)   Called-Station-Id = "FA-9F-C2-F5-9A-E7:AS34936"
(0)   NAS-Port-Type = Wireless-802.11
(0)   Service-Type = Framed-User
(0)   Calling-Station-Id = "26-0A-BD-F9-BD-39"
(0)   Connect-Info = "CONNECT 0Mbps 802.11b"
(0)   Acct-Session-Id = "AED6D178A0EAEF80"
(0)   Acct-Multi-Session-Id = "2362C02DC7B8CCC7"
(0)   WLAN-Pairwise-Cipher = 1027076
(0)   WLAN-Group-Cipher = 1027076
(0)   WLAN-AKM-Suite = 1027073
(0)   Framed-MTU = 1400
(0)   EAP-Message = 0x02ec00140164616e69656c2e6e69657765727468
(0)   Message-Authenticator = 0x6a893394b863bcfcefdaec705b9e595d
(0) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0) eap: EAP session adding &reply:State = 0xe8801569e86d11fa
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0) Sent Access-Challenge Id 29 from 192.168.20.91:1812 to 192.168.3.12:43076 length 80
(0)   EAP-Message = 0x01ed001604102205e61abd48fb6934b611978671f29f
(0)   Message-Authenticator = 0x00000000000000000000000000000000
(0)   State = 0xe8801569e86d11fa559e600794b363d7
Waking up in 0.2 seconds.
(1) Received Access-Request Id 30 from 192.168.3.12:43076 to 192.168.20.91:1812 length 242
(1)   User-Name = "daniel.niewerth"
(1)   NAS-IP-Address = 192.168.3.12
(1)   NAS-Identifier = "fa9fc2f59ae7"
(1)   Called-Station-Id = "FA-9F-C2-F5-9A-E7:AS34936"
(1)   NAS-Port-Type = Wireless-802.11
(1)   Service-Type = Framed-User
(1)   Calling-Station-Id = "26-0A-BD-F9-BD-39"
(1)   Connect-Info = "CONNECT 0Mbps 802.11b"
(1)   Acct-Session-Id = "AED6D178A0EAEF80"
(1)   Acct-Multi-Session-Id = "2362C02DC7B8CCC7"
(1)   WLAN-Pairwise-Cipher = 1027076
(1)   WLAN-Group-Cipher = 1027076
(1)   WLAN-AKM-Suite = 1027073
(1)   Framed-MTU = 1400
(1)   EAP-Message = 0x02ed0006030d
(1)   State = 0xe8801569e86d11fa559e600794b363d7
(1)   Message-Authenticator = 0xb504a4debb688c834298366951ebfe2f
(1) # Executing section authorize from file /etc/freeradius/sites-enabled/default
Not doing PAP as Auth-Type is already set.
(1) # Executing group from file /etc/freeradius/sites-enabled/default
(1) eap: Expiring EAP session with state 0xe8801569e86d11fa
(1) eap: Finished EAP session with state 0xe8801569e86d11fa
(1) eap: Previous EAP request found for state 0xe8801569e86d11fa, released from the list
(1) eap: Found mutually acceptable type TLS (13)
(1) eap: EAP session adding &reply:State = 0xe8801569e96e18fa
(1) # Executing group from file /etc/freeradius/sites-enabled/default
(1)   Framed-MTU = 994
(1) Sent Access-Challenge Id 30 from 192.168.20.91:1812 to 192.168.3.12:43076 length 81
(1)   Tunnel-Type = VLAN
(1)   Tunnel-Medium-Type = IEEE-802
(1)   Tunnel-Private-Group-Id = "200"
(1)   EAP-Message = 0x01ee00060d20
(1)   Message-Authenticator = 0x00000000000000000000000000000000
(1)   State = 0xe8801569e96e18fa559e600794b363d7
Waking up in 0.2 seconds.
(2) Received Access-Request Id 31 from 192.168.3.12:43076 to 192.168.20.91:1812 length 397
(2)   User-Name = "daniel.niewerth"
(2)   NAS-IP-Address = 192.168.3.12
(2)   NAS-Identifier = "fa9fc2f59ae7"
(2)   Called-Station-Id = "FA-9F-C2-F5-9A-E7:AS34936"
(2)   NAS-Port-Type = Wireless-802.11
(2)   Service-Type = Framed-User
(2)   Calling-Station-Id = "26-0A-BD-F9-BD-39"
(2)   Connect-Info = "CONNECT 0Mbps 802.11b"
(2)   Acct-Session-Id = "AED6D178A0EAEF80"
(2)   Acct-Multi-Session-Id = "2362C02DC7B8CCC7"
(2)   WLAN-Pairwise-Cipher = 1027076
(2)   WLAN-Group-Cipher = 1027076
(2)   WLAN-AKM-Suite = 1027073
(2)   Framed-MTU = 1400
(2)   EAP-Message = 0x02ee00a10d800000009716030100920100008e030363ade078022b3affeb3efec509e3fbcb0c782a2f8cb3363e018dcdc40ae6aef100002c00ffc02cc02bc024c023c00ac009c008c030c02fc028c027c014c013c012009d009c003d003c0035002f000a01000039000a00080006001700180019000b00020100000d00120010040102010501060104030203050306030005000501000000000012000000170000
(2)   State = 0xe8801569e96e18fa559e600794b363d7
(2)   Message-Authenticator = 0x14c84f86f7ccc06ee027f3da6fc7d5bc
(2) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(2) # Executing group from file /etc/freeradius/sites-enabled/default
(2) eap: Expiring EAP session with state 0xe8801569e96e18fa
(2) eap: Finished EAP session with state 0xe8801569e96e18fa
(2) eap: Previous EAP request found for state 0xe8801569e96e18fa, released from the list
(2) eap: EAP session adding &reply:State = 0xe8801569ea6f18fa
(2) # Executing group from file /etc/freeradius/sites-enabled/default
(2)   Framed-MTU = 994
(2)   TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(2)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(2)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(2)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(2)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest"
(2)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(2) Sent Access-Challenge Id 31 from 192.168.20.91:1812 to 192.168.3.12:43076 length 1085
(2)   Tunnel-Type = VLAN
(2)   Tunnel-Medium-Type = IEEE-802
(2)   Tunnel-Private-Group-Id = "200"
(2)   EAP-Message = 0x01ef03ec0dc000001300160303003d020000390303c7b7490e70ea37919461ad9d1dd026ca3f37701e2df1e598d2a54137a3efd9a700c02c000011ff01000100000b0004030001020017000016030310630b00105f00105c00030d308203093082028ea0030201020214267bddb6183d47bbe3ca532716a4e5262ba14cbf300a06082a8648ce3d04030230633120301e06035504030c17415333343933362045434320497373756520434120583131143012060355040a0c0b415333343933362e6e6574311c301a06035504080c134e6f7264726865696e2d5765737466616c656e310b3009060355040613024445301e170d3232313232373230343233355a170d3234313232363230343233345a3081dd311c301a06092a864886f70d0109080c0d3139322e3136382e32302e39313135303306092a864886f70d0109020c26767372762d647573362d72616430312e7072642e6475732e64652e617333343933362e6e6574312f302d06035504030c26767372762d
(2)   Message-Authenticator = 0x00000000000000000000000000000000
(2)   State = 0xe8801569ea6f18fa559e600794b363d7
Waking up in 0.2 seconds.
(3) Received Access-Request Id 32 from 192.168.3.12:43076 to 192.168.20.91:1812 length 242
(3)   User-Name = "daniel.niewerth"
(3)   NAS-IP-Address = 192.168.3.12
(3)   NAS-Identifier = "fa9fc2f59ae7"
(3)   Called-Station-Id = "FA-9F-C2-F5-9A-E7:AS34936"
(3)   NAS-Port-Type = Wireless-802.11
(3)   Service-Type = Framed-User
(3)   Calling-Station-Id = "26-0A-BD-F9-BD-39"
(3)   Connect-Info = "CONNECT 0Mbps 802.11b"
(3)   Acct-Session-Id = "AED6D178A0EAEF80"
(3)   Acct-Multi-Session-Id = "2362C02DC7B8CCC7"
(3)   WLAN-Pairwise-Cipher = 1027076
(3)   WLAN-Group-Cipher = 1027076
(3)   WLAN-AKM-Suite = 1027073
(3)   Framed-MTU = 1400
(3)   EAP-Message = 0x02ef00060d00
(3)   State = 0xe8801569ea6f18fa559e600794b363d7
(3)   Message-Authenticator = 0x878639b8e4fb23b7552197f28c7dfa8e
(3) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(3) # Executing group from file /etc/freeradius/sites-enabled/default
(3) eap: Expiring EAP session with state 0xe8801569ea6f18fa
(3) eap: Finished EAP session with state 0xe8801569ea6f18fa
(3) eap: Previous EAP request found for state 0xe8801569ea6f18fa, released from the list
(3) eap: EAP session adding &reply:State = 0xe8801569eb7018fa
(3) # Executing group from file /etc/freeradius/sites-enabled/default
(3)   Framed-MTU = 994
(3)   TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(3)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(3)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(3)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(3)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest"
(3)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(3) Sent Access-Challenge Id 32 from 192.168.20.91:1812 to 192.168.3.12:43076 length 1085
(3)   Tunnel-Type = VLAN
(3)   Tunnel-Medium-Type = IEEE-802
(3)   Tunnel-Private-Group-Id = "200"
(3)   EAP-Message = 0x01f003ec0dc00000130065696e2d5765737466616c656e310b3009060355040613024445301e170d3232313232353139343935335a170d3237313232343139343935325a30633120301e06035504030c17415333343933362045434320497373756520434120583131143012060355040a0c0b415333343933362e6e6574311c301a06035504080c134e6f7264726865696e2d5765737466616c656e310b30090603550406130244453076301006072a8648ce3d020106052b8104002203620004c5e19be88e22a34f8bbbf300b4f2bb62d7f6374faf0bed316dc821305c918bad130c40ea0e44020b6b9f52cda519c8888e5729d00f3df059827209d1fcd728c816867279ee27c741c8401c3e6c4dc6318b791a8ced92cf97da999a82c340a6bda38202a33082029f300f0603551d130101ff040530030101ff301f0603551d230418301680143cb810f22b53a270cc8887f5182e9d46088c5487304f06082b0601050507010104433041303f06082b06010505073001
(3)   Message-Authenticator = 0x00000000000000000000000000000000
(3)   State = 0xe8801569eb7018fa559e600794b363d7
(4) Received Access-Request Id 33 from 192.168.3.12:43076 to 192.168.20.91:1812 length 242
(4)   User-Name = "daniel.niewerth"
(4)   NAS-IP-Address = 192.168.3.12
(4)   NAS-Identifier = "fa9fc2f59ae7"
(4)   Called-Station-Id = "FA-9F-C2-F5-9A-E7:AS34936"
(4)   NAS-Port-Type = Wireless-802.11
(4)   Service-Type = Framed-User
(4)   Calling-Station-Id = "26-0A-BD-F9-BD-39"
(4)   Connect-Info = "CONNECT 0Mbps 802.11b"
(4)   Acct-Session-Id = "AED6D178A0EAEF80"
(4)   Acct-Multi-Session-Id = "2362C02DC7B8CCC7"
(4)   WLAN-Pairwise-Cipher = 1027076
(4)   WLAN-Group-Cipher = 1027076
(4)   WLAN-AKM-Suite = 1027073
(4)   Framed-MTU = 1400
(4)   EAP-Message = 0x02f000060d00
Waking up in 0.1 seconds.
(4)   State = 0xe8801569eb7018fa559e600794b363d7
(4)   Message-Authenticator = 0x00ae97047c7e4d306f9dcdacf92a5c6e
(4) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(4) # Executing group from file /etc/freeradius/sites-enabled/default
(4) eap: Expiring EAP session with state 0xe8801569eb7018fa
(4) eap: Finished EAP session with state 0xe8801569eb7018fa
(4) eap: Previous EAP request found for state 0xe8801569eb7018fa, released from the list
(4) eap: EAP session adding &reply:State = 0xe8801569ec7118fa
(4) # Executing group from file /etc/freeradius/sites-enabled/default
(4)   Framed-MTU = 994
(4)   TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(4)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(4)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(4)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(4)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest"
(4)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(4) Sent Access-Challenge Id 33 from 192.168.20.91:1812 to 192.168.3.12:43076 length 1085
(4)   Tunnel-Type = VLAN
(4)   Tunnel-Medium-Type = IEEE-802
(4)   Tunnel-Private-Group-Id = "200"
(4)   EAP-Message = 0x01f103ec0dc000001300121d45c14900d6d5fa21b4fad194b1779ca2b35e02ae74fa101915dc131f86023100ae3421759119ce02dd265d9d783c409730af3cc843871b7b350096553c9c91950f0f2662e658adcd5386e62f0442048500044b30820447308203cda00302010202146d9693e7790784d0b18d769b31500ec42131b400300a06082a8648ce3d0403023062311f301d06035504030c16415333343933362045434320526f6f7420434120583131143012060355040a0c0b415333343933362e6e6574311c301a06035504080c134e6f7264726865696e2d5765737466616c656e310b3009060355040613024445301e170d3232313232353139343033395a170d3332313232323139343033385a306a3127302506035504030c1e415333343933362045434320496e7465726d65646961746520434120583131143012060355040a0c0b415333343933362e6e6574311c301a06035504080c134e6f7264726865696e2d5765737466616c656e310b30090603
(4)   Message-Authenticator = 0x00000000000000000000000000000000
(4)   State = 0xe8801569ec7118fa559e600794b363d7
Waking up in 0.1 seconds.
(5) Received Access-Request Id 34 from 192.168.3.12:43076 to 192.168.20.91:1812 length 242
(5)   User-Name = "daniel.niewerth"
(5)   NAS-IP-Address = 192.168.3.12
(5)   NAS-Identifier = "fa9fc2f59ae7"
(5)   Called-Station-Id = "FA-9F-C2-F5-9A-E7:AS34936"
(5)   NAS-Port-Type = Wireless-802.11
(5)   Service-Type = Framed-User
(5)   Calling-Station-Id = "26-0A-BD-F9-BD-39"
(5)   Connect-Info = "CONNECT 0Mbps 802.11b"
(5)   Acct-Session-Id = "AED6D178A0EAEF80"
(5)   Acct-Multi-Session-Id = "2362C02DC7B8CCC7"
(5)   WLAN-Pairwise-Cipher = 1027076
(5)   WLAN-Group-Cipher = 1027076
(5)   WLAN-AKM-Suite = 1027073
(5)   Framed-MTU = 1400
(5)   EAP-Message = 0x02f100060d00
(5)   State = 0xe8801569ec7118fa559e600794b363d7
(5)   Message-Authenticator = 0x31990bc261400e894be7b31ade8bb281
(5) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(5) # Executing group from file /etc/freeradius/sites-enabled/default
(5) eap: Expiring EAP session with state 0xe8801569ec7118fa
(5) eap: Finished EAP session with state 0xe8801569ec7118fa
(5) eap: Previous EAP request found for state 0xe8801569ec7118fa, released from the list
(5) eap: EAP session adding &reply:State = 0xe8801569ed7218fa
(5) # Executing group from file /etc/freeradius/sites-enabled/default
(5)   Framed-MTU = 994
(5)   TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(5)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(5)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(5)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(5)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest"
(5)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(5) Sent Access-Challenge Id 34 from 192.168.20.91:1812 to 192.168.3.12:43076 length 1085
(5)   Tunnel-Type = VLAN
(5)   Tunnel-Medium-Type = IEEE-802
(5)   Tunnel-Private-Group-Id = "200"
(5)   EAP-Message = 0x01f203ec0dc000001300696e2d5765737466616c656e310b3009060355040613024445301d0603551d0e041604143cb810f22b53a270cc8887f5182e9d46088c5487300e0603551d0f0101ff040403020186300a06082a8648ce3d0403020368003065023062564868059fa64a19162940b636a3099db4c74ea1979039d01e03b578403351121b9e8d69f5bcb8d39d5cd91bd3e8e9023100f0e6b3fa7502c262eeb77779cce6c4952d64d17058c22083999c346696174d631f3904b6d0e2b036232b2cef4495cb1e0004433082043f308203c5a00302010202142721b58c0ec977454067689d9bfb5160731fbe70300a06082a8648ce3d0403023062311f301d06035504030c16415333343933362045434320526f6f7420434120583131143012060355040a0c0b415333343933362e6e6574311c301a06035504080c134e6f7264726865696e2d5765737466616c656e310b3009060355040613024445301e170d3232313232353135333230375a170d343731323139
(5)   Message-Authenticator = 0x00000000000000000000000000000000
(5)   State = 0xe8801569ed7218fa559e600794b363d7
(6) Received Access-Request Id 35 from 192.168.3.12:43076 to 192.168.20.91:1812 length 242
(6)   User-Name = "daniel.niewerth"
(6)   NAS-IP-Address = 192.168.3.12
(6)   NAS-Identifier = "fa9fc2f59ae7"
(6)   Called-Station-Id = "FA-9F-C2-F5-9A-E7:AS34936"
(6)   NAS-Port-Type = Wireless-802.11
(6)   Service-Type = Framed-User
(6)   Calling-Station-Id = "26-0A-BD-F9-BD-39"
(6)   Connect-Info = "CONNECT 0Mbps 802.11b"
(6)   Acct-Session-Id = "AED6D178A0EAEF80"
(6)   Acct-Multi-Session-Id = "2362C02DC7B8CCC7"
(6)   WLAN-Pairwise-Cipher = 1027076
(6)   WLAN-Group-Cipher = 1027076
(6)   WLAN-AKM-Suite = 1027073
(6)   Framed-MTU = 1400
(6)   EAP-Message = 0x02f200060d00
(6)   State = 0xe8801569ed7218fa559e600794b363d7
(6)   Message-Authenticator = 0x374d1672a0b0bc8611720ea1bded1700
(6) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(6) # Executing group from file /etc/freeradius/sites-enabled/default
(6) eap: Expiring EAP session with state 0xe8801569ed7218fa
(6) eap: Finished EAP session with state 0xe8801569ed7218fa
(6) eap: Previous EAP request found for state 0xe8801569ed7218fa, released from the list
(6) eap: EAP session adding &reply:State = 0xe8801569ee7318fa
(6) # Executing group from file /etc/freeradius/sites-enabled/default
(6)   Framed-MTU = 994
(6)   TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(6)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(6)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(6)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(6)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest"
(6)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(6) Sent Access-Challenge Id 35 from 192.168.20.91:1812 to 192.168.3.12:43076 length 979
(6)   Tunnel-Type = VLAN
(6)   Tunnel-Medium-Type = IEEE-802
(6)   Tunnel-Private-Group-Id = "200"
(6)   EAP-Message = 0x01f303820d8000001300696e2d5765737466616c656e253243432533444445a266a4643062311f301d06035504030c16415333343933362045434320526f6f7420434120583131143012060355040a0c0b415333343933362e6e6574311c301a06035504080c134e6f7264726865696e2d5765737466616c656e310b3009060355040613024445301d0603551d0e04160414ee40f58463599e9d3edeb2adeef95b253b70c61a300e0603551d0f0101ff040403020186300a06082a8648ce3d040302036800306502304d6fdf9a7ebdb0530b66964cda674d78d535aee37404075504a3bcc8c20d3ef77126736a306b017eb85098830254a4a2023100bd5027203964139850d847e23bc22a9a7f84b73d891eb1ac37f5e225ff98c8d67ec089b35ec6a44d87f38f5c440198f816030300d40c0000d00300186104f448e4e09b848393e6f0dbedfd066c61a5b8bd8eb0b7e42675c43f8dd1f1f2e54ded747fe20c61837a9db45e3b03545d59a8e07fdc1643b8b37e2adc5b
(6)   Message-Authenticator = 0x00000000000000000000000000000000
(6)   State = 0xe8801569ee7318fa559e600794b363d7
Waking up in 0.1 seconds.
(7) Received Access-Request Id 36 from 192.168.3.12:43076 to 192.168.20.91:1812 length 1207
(7)   User-Name = "daniel.niewerth"
(7)   NAS-IP-Address = 192.168.3.12
(7)   NAS-Identifier = "fa9fc2f59ae7"
(7)   Called-Station-Id = "FA-9F-C2-F5-9A-E7:AS34936"
(7)   NAS-Port-Type = Wireless-802.11
(7)   Service-Type = Framed-User
(7)   Calling-Station-Id = "26-0A-BD-F9-BD-39"
(7)   Connect-Info = "CONNECT 0Mbps 802.11b"
(7)   Acct-Session-Id = "AED6D178A0EAEF80"
(7)   Acct-Multi-Session-Id = "2362C02DC7B8CCC7"
(7)   WLAN-Pairwise-Cipher = 1027076
(7)   WLAN-Group-Cipher = 1027076
(7)   WLAN-AKM-Suite = 1027073
(7)   Framed-MTU = 1400
(7)   EAP-Message = 0x02f303c50d80000003bb16030302a50b0002a100029e00029b308202973082021da003020102021413b821bfca7511be4b4ad55b885271d35221dbf5300a06082a8648ce3d04030230633120301e06035504030c17415333343933362045434320497373756520434120583131143012060355040a0c0b415333343933362e6e6574311c301a06035504080c134e6f7264726865696e2d5765737466616c656e310b3009060355040613024445301e170d3232313232373231343535365a170d3234313232363231343535355a30763118301606035504030c0f64616e69656c2e6e69657765727468310f300d060355042a0c0644616e69656c3111300f06035504040c084e6965776572746831143012060355040a0c0b415333343933362e6e65743113301106035504070c0a4f62657268617573656e310b30090603550406130244453076301006072a8648ce3d020106052b810400220362000400ce2b90551ab2a7569807cef677b8969f3afff8f2af5d0f5426
(7)   State = 0xe8801569ee7318fa559e600794b363d7
(7)   Message-Authenticator = 0x81793234b06366f70274cbbdcc7acd08
(7) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(7) # Executing group from file /etc/freeradius/sites-enabled/default
(7) eap: Expiring EAP session with state 0xe8801569ee7318fa
(7) eap: Finished EAP session with state 0xe8801569ee7318fa
(7) eap: Previous EAP request found for state 0xe8801569ee7318fa, released from the list
(7) eap: EAP session adding &reply:State = 0xe8801569ef7418fa
(7) # Executing group from file /etc/freeradius/sites-enabled/default
(7)   Framed-MTU = 994
(7)   TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(7)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(7)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(7)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(7)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest"
(7)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(7)   TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Certificate"
(7)   TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange"
(7)   TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, CertificateVerify"
(7)   TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished"
(7)   TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec"
(7)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished"
(7)   TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES256-GCM-SHA384"
(7)   TLS-Session-Version = "TLS 1.2"
(7) Sent Access-Challenge Id 36 from 192.168.20.91:1812 to 192.168.3.12:43076 length 136
(7)   Tunnel-Type = VLAN
(7)   Tunnel-Medium-Type = IEEE-802
(7)   Tunnel-Private-Group-Id = "200"
(7)   EAP-Message = 0x01f4003d0d80000000331403030001011603030028cb9c87e907b53eb0ad374c7fc4838d9bcd153fb215753fdf2efdd0227fb64ff71f2295119362471d
(7)   Message-Authenticator = 0x00000000000000000000000000000000
(7)   State = 0xe8801569ef7418fa559e600794b363d7
(8) Received Access-Request Id 37 from 192.168.3.12:43076 to 192.168.20.91:1812 length 242
(8)   User-Name = "daniel.niewerth"
(8)   NAS-IP-Address = 192.168.3.12
(8)   NAS-Identifier = "fa9fc2f59ae7"
(8)   Called-Station-Id = "FA-9F-C2-F5-9A-E7:AS34936"
(8)   NAS-Port-Type = Wireless-802.11
(8)   Service-Type = Framed-User
(8)   Calling-Station-Id = "26-0A-BD-F9-BD-39"
(8)   Connect-Info = "CONNECT 0Mbps 802.11b"
(8)   Acct-Session-Id = "AED6D178A0EAEF80"
(8)   Acct-Multi-Session-Id = "2362C02DC7B8CCC7"
(8)   WLAN-Pairwise-Cipher = 1027076
(8)   WLAN-Group-Cipher = 1027076
(8)   WLAN-AKM-Suite = 1027073
(8)   Framed-MTU = 1400
(8)   EAP-Message = 0x02f400060d00
(8)   State = 0xe8801569ef7418fa559e600794b363d7
(8)   Message-Authenticator = 0xda603239908e585aa9589fc7e2d67136
(8) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(8) # Executing group from file /etc/freeradius/sites-enabled/default
(8) eap: Expiring EAP session with state 0xe8801569ef7418fa
(8) eap: Finished EAP session with state 0xe8801569ef7418fa
(8) eap: Previous EAP request found for state 0xe8801569ef7418fa, released from the list
(8) # Executing section post-auth from file /etc/freeradius/sites-enabled/default
(8)       &reply::Framed-MTU += &session-state:Framed-MTU[*] -> 994
(8)       &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.3 Handshake, ClientHello'
(8)       &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, ServerHello'
(8)       &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, Certificate'
(8)       &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, ServerKeyExchange'
(8)       &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, CertificateRequest'
(8)       &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, ServerHelloDone'
(8)       &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.2 Handshake, Certificate'
(8)       &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.2 Handshake, ClientKeyExchange'
(8)       &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.2 Handshake, CertificateVerify'
(8)       &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.2 Handshake, Finished'
(8)       &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 ChangeCipherSpec'
(8)       &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, Finished'
(8)       &reply::TLS-Session-Cipher-Suite += &session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-ECDSA-AES256-GCM-SHA384'
(8)       &reply::TLS-Session-Version += &session-state:TLS-Session-Version[*] -> 'TLS 1.2'
(8) Sent Access-Accept Id 37 from 192.168.20.91:1812 to 192.168.3.12:43076 length 200
(8)   Tunnel-Type = VLAN
(8)   Tunnel-Medium-Type = IEEE-802
(8)   Tunnel-Private-Group-Id = "200"
(8)   MS-MPPE-Recv-Key = 0x5081553f0730e72a35dcc00e23319b24672fde86f460b4b34fc2de416bc15a70
(8)   MS-MPPE-Send-Key = 0x53671848a0194cc57cd7ee1a91087485ac69356d8ae60ceeed13fcd7bb15629b
(8)   EAP-Message = 0x03f40004
(8)   Message-Authenticator = 0x00000000000000000000000000000000
(8)   User-Name = "daniel.niewerth"
(8)   Framed-MTU += 994
Waking up in 4.3 seconds.
Ready to process requests
jpereira commented 1 year ago

@CryptoproctaX the msg doesn't have any crashes. could you redo the tests until getting a similar error as you mentioned in your ticket? Please, follow the steps available at https://wiki.freeradius.org/project/bug-reports

CryptoproctaX commented 1 year ago

@jpereira I am not sure if you read what I had just written. When I start freeradius under gdb the error does not occur. I have repeated the test several times.

If I start freeradius (package variant) without gdb the error occurs at every attempt.

alandekok commented 1 year ago

You could try rebuilding with ./configure --enable-address-sanitizer .... Recent versions of GCC and LLVM support that.

If the crash is to due buffer over-runs or use after free, the sanitizer code will print out full stack traces, without using gdb.

alandekok commented 1 year ago

Without any additional information, it will be impossible for us to fix this.

mcnewton commented 1 year ago

No further information so this is impossible to debug as-is.