Ready to process requests (0) Received Access-Request Id 160 from 10.0.3.1:49907 to 10.0.3.11:1812 length 216 (0) User-Name = "c4-b3-01-d9-4e-6b.v2@rocky*.de" (0) NAS-Port-Type = Virtual (0) Service-Type = Framed-User (0) NAS-Port = 35 (0) NAS-Port-Id = "con-mobile" (0) NAS-IP-Address = 10.0.1.22 (0) Called-Station-Id = "10.0.1.22[4500]" (0) Calling-Station-Id = "91.224.227.248[43805]" (0) EAP-Message = 0x0200002b0163342d62332d30312d64392d34652d36622e763240726f636b796d6f756e7461696e732e6465 (0) NAS-Identifier = "strongSwan" (0) Message-Authenticator = 0xf681591ec674e97169eb802a6398886d (0) # Executing section authorize from file /etc/raddb/sites-enabled/default-ikev2 (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: Looking up realm "rocky*.de" for User-Name = "c4-b3-01-d9-4e-6b.v2@rocky*.de" (0) suffix: No such realm "rocky*.de" (0) [suffix] = noop (0) eap_ikev2: Peer sent EAP Response (code 2) ID 0 length 43 (0) eap_ikev2: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap_ikev2] = ok (0) } # authorize = ok (0) Found Auth-Type = eap_ikev2 (0) # Executing group from file /etc/raddb/sites-enabled/default-ikev2 (0) authenticate { (0) eap_ikev2: Peer sent packet with method EAP Identity (1) (0) eap_ikev2: Calling submodule eap_tls to process data (0) eap_tls: Initiating new TLS session (0) eap_tls: Flushing SSL sessions (of #0) (0) eap_tls: Setting verify mode to require certificate from client (0) eap_tls: [eaptls start] = request (0) eap_ikev2: Sending EAP Request (code 1) ID 1 length 6 (0) eap_ikev2: EAP session adding &reply:State = 0xacf2fb4eacf3f600 (0) [eap_ikev2] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) # Executing group from file /etc/raddb/sites-enabled/default-ikev2 (0) Challenge { ... } # empty sub-section is ignored (0) Sent Access-Challenge Id 160 from 10.0.3.11:1812 to 10.0.3.1:49907 length 0 (0) EAP-Message = 0x010100060d20 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0xacf2fb4eacf3f6007bce43a934f32d81 (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 161 from 10.0.3.1:49907 to 10.0.3.11:1812 length 352 (1) User-Name = "c4-b3-01-d9-4e-6b.v2@rocky*.de" (1) NAS-Port-Type = Virtual (1) Service-Type = Framed-User (1) NAS-Port = 35 (1) NAS-Port-Id = "con-mobile" (1) NAS-IP-Address = 10.0.1.22 (1) Called-Station-Id = "10.0.1.22[4500]" (1) Calling-Station-Id = "91.224.227.248[43805]" (1) EAP-Message = 0x020100a10d800000009716030100920100008e03035d37003d863e6364481b5962a783ad512a10965e001fd435b22188040de4663f00002c00ffc02cc02bc024c023c00ac009c008c030c02fc028c027c014c013c012009d009c003d003c0035002f000a01000039000a00080006001700180019000b00020100000d00120010040102010501060104030203050306030005000501000000000012000000170000 (1) NAS-Identifier = "strongSwan" (1) State = 0xacf2fb4eacf3f6007bce43a934f32d81 (1) Message-Authenticator = 0x6dfc7fed9669d6629f3978b7068d0331 (1) session-state: No cached attributes (1) # Executing section authorize from file /etc/raddb/sites-enabled/default-ikev2 (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: Looking up realm "rocky*.de" for User-Name = "c4-b3-01-d9-4e-6b.v2@rocky*.de" (1) suffix: No such realm "rocky*.de" (1) [suffix] = noop (1) eap_ikev2: Peer sent EAP Response (code 2) ID 1 length 161 (1) eap_ikev2: No EAP Start, assuming it's an on-going EAP conversation (1) [eap_ikev2] = updated (1) [files] = noop (1) [expiration] = noop (1) [logintime] = noop (1) } # authorize = updated (1) Found Auth-Type = eap_ikev2 (1) # Executing group from file /etc/raddb/sites-enabled/default-ikev2 (1) authenticate { (1) eap_ikev2: Expiring EAP session with state 0xacf2fb4eacf3f600 (1) eap_ikev2: Finished EAP session with state 0xacf2fb4eacf3f600 (1) eap_ikev2: Previous EAP request found for state 0xacf2fb4eacf3f600, released from the list (1) eap_ikev2: Peer sent packet with method EAP TLS (13) (1) eap_ikev2: Calling submodule eap_tls to process data (1) eap_tls: Continuing EAP-TLS (1) eap_tls: Peer indicated complete TLS record size will be 151 bytes (1) eap_tls: Got complete TLS record (151 bytes) (1) eap_tls: [eaptls verify] = length included (1) eap_tls: (other): before SSL initialization (1) eap_tls: TLS_accept: before SSL initialization (1) eap_tls: TLS_accept: before SSL initialization (1) eap_tls: <<< recv TLS 1.3 [length 0092] (1) eap_tls: TLS_accept: SSLv3/TLS read client hello (1) eap_tls: >>> send TLS 1.2 [length 005d] (1) eap_tls: TLS_accept: SSLv3/TLS write server hello (1) eap_tls: >>> send TLS 1.2 [length 0d55] (1) eap_tls: TLS_accept: SSLv3/TLS write certificate (1) eap_tls: >>> send TLS 1.2 [length 0291] (1) eap_tls: TLS_accept: SSLv3/TLS write key exchange (1) eap_tls: >>> send TLS 1.2 [length 00ed] (1) eap_tls: TLS_accept: SSLv3/TLS write certificate request (1) eap_tls: >>> send TLS 1.2 [length 0004] (1) eap_tls: TLS_accept: SSLv3/TLS write server done (1) eap_tls: TLS_accept: Need to read more data: SSLv3/TLS write server done (1) eap_tls: TLS - In Handshake Phase (1) eap_tls: TLS - got 4429 bytes of data (1) eap_tls: [eaptls process] = handled (1) eap_ikev2: Sending EAP Request (code 1) ID 2 length 1004 (1) eap_ikev2: EAP session adding &reply:State = 0xacf2fb4eadf0f600 (1) [eap_ikev2] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) # Executing group from file /etc/raddb/sites-enabled/default-ikev2 (1) Challenge { ... } # empty sub-section is ignored (1) Sent Access-Challenge Id 161 from 10.0.3.11:1812 to 10.0.3.1:49907 length 0 (1) EAP-Message = 0x010203ec0dc00000114d160303005d020000590303ec8835aad1263be55001c2b6352986dc86ec10ded6fdc5c24766616d70a7c86020168b7c6f0ad47c8bb0a7c2d9186cea31c162710839a5584a4a143160fc97883ec030000011ff01000100000b000403000102001700001603030d550b000d51000d4e0005f9308205f5308203dda003020102020119300d06092a864886f70d01010b05003081ae310b3009060355040613024445311f301d06035504080c164e6f727468205268696e652d576573747068616c69613114301206035504070c0b4475657373656c646f726631173015060355040a0c0e526f636b794d6f756e7461696e733120301e06092a864886f70d010901161161646d696e406578616d706c652e6f7267312d302b06035504030c24526f636b794d6f756e7461696e7320436572746966696361746520417574686f72697479301e170d3139303731373137353533365a170d3339303731323137353533365a3065310b3009060355040613 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0xacf2fb4eadf0f6007bce43a934f32d81 (1) Finished request Waking up in 4.2 seconds. (2) Received Access-Request Id 162 from 10.0.3.1:49907 to 10.0.3.11:1812 length 197 (2) User-Name = "c4-b3-01-d9-4e-6b.v2@rocky*.de" (2) NAS-Port-Type = Virtual (2) Service-Type = Framed-User (2) NAS-Port = 35 (2) NAS-Port-Id = "con-mobile" (2) NAS-IP-Address = 10.0.1.22 (2) Called-Station-Id = "10.0.1.22[4500]" (2) Calling-Station-Id = "91.224.227.248[43805]" (2) EAP-Message = 0x020200060d00 (2) NAS-Identifier = "strongSwan" (2) State = 0xacf2fb4eadf0f6007bce43a934f32d81 (2) Message-Authenticator = 0xf1fa1626d8f54010498d8111ff269ec8 (2) session-state: No cached attributes (2) # Executing section authorize from file /etc/raddb/sites-enabled/default-ikev2 (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) [digest] = noop (2) suffix: Checking for suffix after "@" (2) suffix: Looking up realm "rocky*.de" for User-Name = "c4-b3-01-d9-4e-6b.v2@rocky*.de" (2) suffix: No such realm "rocky*.de" (2) [suffix] = noop (2) eap_ikev2: Peer sent EAP Response (code 2) ID 2 length 6 (2) eap_ikev2: No EAP Start, assuming it's an on-going EAP conversation (2) [eap_ikev2] = updated (2) [files] = noop (2) [expiration] = noop (2) [logintime] = noop (2) } # authorize = updated (2) Found Auth-Type = eap_ikev2 (2) # Executing group from file /etc/raddb/sites-enabled/default-ikev2 (2) authenticate { (2) eap_ikev2: Expiring EAP session with state 0xacf2fb4eadf0f600 (2) eap_ikev2: Finished EAP session with state 0xacf2fb4eadf0f600 (2) eap_ikev2: Previous EAP request found for state 0xacf2fb4eadf0f600, released from the list (2) eap_ikev2: Peer sent packet with method EAP TLS (13) (2) eap_ikev2: Calling submodule eap_tls to process data (2) eap_tls: Continuing EAP-TLS (2) eap_tls: Peer ACKed our handshake fragment (2) eap_tls: [eaptls verify] = request (2) eap_tls: [eaptls process] = handled (2) eap_ikev2: Sending EAP Request (code 1) ID 3 length 1004 (2) eap_ikev2: EAP session adding &reply:State = 0xacf2fb4eaef1f600 (2) [eap_ikev2] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) # Executing group from file /etc/raddb/sites-enabled/default-ikev2 (2) Challenge { ... } # empty sub-section is ignored (2) Sent Access-Challenge Id 162 from 10.0.3.11:1812 to 10.0.3.1:49907 length 0 (2) EAP-Message = 0x010303ec0dc00000114de8b746b827e9f30203010001a3663064301d0603551d250416301406082b0601050507030106082b0601050508020230430603551d11043c303a821376706e2e6175746f7269736174696f6e2e6465820564667730318704c0a8af168704c0a8b1018704c0a8b2018704c0a8b4018704c0a8b501300d06092a864886f70d01010b05000382020100b9d3a748016e5ffd8039a20366cbe352e01bd0f54a13d9bb449cc12ef2697a84f79f379cb2c0eacea29849e8c0588dd70a530cc39243b6bd5d169f335adbe0e09c94a3695270862d1eb6500d60997f7f84b66905239c19d6df932f04ad8e362639b20c5a4392d37ae5e462dfaa2fd67652ea2d905efb0e2c93c803561cdeaf124d837b544718daf4e7830350ff4bea39f85edc5f3fa8f762e8fb00a5a166b1b962b2c63bd1f67230496e617bb5aae0fc6d8bfe6a740fbae987035722411efe3b1aefb5af9dfd234c3f3f488d9addbfc4a74a031dfd8eb1c9d90c2b0e2cecaa3ad0cfe40aec (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0xacf2fb4eaef1f6007bce43a934f32d81 (2) Finished request Waking up in 3.7 seconds. (3) Received Access-Request Id 163 from 10.0.3.1:49907 to 10.0.3.11:1812 length 197 (3) User-Name = "c4-b3-01-d9-4e-6b.v2@rocky*.de" (3) NAS-Port-Type = Virtual (3) Service-Type = Framed-User (3) NAS-Port = 35 (3) NAS-Port-Id = "con-mobile" (3) NAS-IP-Address = 10.0.1.22 (3) Called-Station-Id = "10.0.1.22[4500]" (3) Calling-Station-Id = "91.224.227.248[43805]" (3) EAP-Message = 0x020300060d00 (3) NAS-Identifier = "strongSwan" (3) State = 0xacf2fb4eaef1f6007bce43a934f32d81 (3) Message-Authenticator = 0xd57a2f53b8805a2d6acb3f56556e0a5f (3) session-state: No cached attributes (3) # Executing section authorize from file /etc/raddb/sites-enabled/default-ikev2 (3) authorize { (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = notfound (3) } # policy filter_username = notfound (3) [preprocess] = ok (3) [digest] = noop (3) suffix: Checking for suffix after "@" (3) suffix: Looking up realm "rocky*.de" for User-Name = "c4-b3-01-d9-4e-6b.v2@rocky*.de" (3) suffix: No such realm "rocky*.de" (3) [suffix] = noop (3) eap_ikev2: Peer sent EAP Response (code 2) ID 3 length 6 (3) eap_ikev2: No EAP Start, assuming it's an on-going EAP conversation (3) [eap_ikev2] = updated (3) [files] = noop (3) [expiration] = noop (3) [logintime] = noop (3) } # authorize = updated (3) Found Auth-Type = eap_ikev2 (3) # Executing group from file /etc/raddb/sites-enabled/default-ikev2 (3) authenticate { (3) eap_ikev2: Expiring EAP session with state 0xacf2fb4eaef1f600 (3) eap_ikev2: Finished EAP session with state 0xacf2fb4eaef1f600 (3) eap_ikev2: Previous EAP request found for state 0xacf2fb4eaef1f600, released from the list (3) eap_ikev2: Peer sent packet with method EAP TLS (13) (3) eap_ikev2: Calling submodule eap_tls to process data (3) eap_tls: Continuing EAP-TLS (3) eap_tls: Peer ACKed our handshake fragment (3) eap_tls: [eaptls verify] = request (3) eap_tls: [eaptls process] = handled (3) eap_ikev2: Sending EAP Request (code 1) ID 4 length 1004 (3) eap_ikev2: EAP session adding &reply:State = 0xacf2fb4eaff6f600 (3) [eap_ikev2] = handled (3) } # authenticate = handled (3) Using Post-Auth-Type Challenge (3) # Executing group from file /etc/raddb/sites-enabled/default-ikev2 (3) Challenge { ... } # empty sub-section is ignored (3) Sent Access-Challenge Id 163 from 10.0.3.11:1812 to 10.0.3.1:49907 length 0 (3) EAP-Message = 0x010403ec0dc00000114d636b794d6f756e7461696e733120301e06092a864886f70d010901161161646d696e406578616d706c652e6f7267312d302b06035504030c24526f636b794d6f756e7461696e7320436572746966696361746520417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a0282020100d370e4a0088a010629b885cbf21e70d0a5180df63e7898785598ff0bb4878ad839131f93cfec4d42a77ffbeae4a7a76419a13a9888db494f18c3a89bdddef5f5ec4acfde2a81144fc88098403d5807976c6c275a41b66f87efd20b1c141a8a82cb55b8aea53c165cd02eb23e7f6b69c123ac5e39343b89d2039c6a0f16cb6b723906a9bdd2430c1c1654a7f229816d28f8db857700da3f189b239b6f4514b98b41a884905ba101715d04373ddbc16ef4269c534a1f593d1e434890676423f20d9798f0179e54fc47650202da8faaa3e1389437978c1d825aa4971af315bc1cf777197c8b5ec2d661f422fbb3d5edd1 (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0xacf2fb4eaff6f6007bce43a934f32d81 (3) Finished request Waking up in 3.2 seconds. (4) Received Access-Request Id 164 from 10.0.3.1:49907 to 10.0.3.11:1812 length 197 (4) User-Name = "c4-b3-01-d9-4e-6b.v2@rocky*.de" (4) NAS-Port-Type = Virtual (4) Service-Type = Framed-User (4) NAS-Port = 35 (4) NAS-Port-Id = "con-mobile" (4) NAS-IP-Address = 10.0.1.22 (4) Called-Station-Id = "10.0.1.22[4500]" (4) Calling-Station-Id = "91.224.227.248[43805]" (4) EAP-Message = 0x020400060d00 (4) NAS-Identifier = "strongSwan" (4) State = 0xacf2fb4eaff6f6007bce43a934f32d81 (4) Message-Authenticator = 0x50f32fe2d5791cc3d78108658bb642a3 (4) session-state: No cached attributes (4) # Executing section authorize from file /etc/raddb/sites-enabled/default-ikev2 (4) authorize { (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = notfound (4) } # policy filter_username = notfound (4) [preprocess] = ok (4) [digest] = noop (4) suffix: Checking for suffix after "@" (4) suffix: Looking up realm "rocky*.de" for User-Name = "c4-b3-01-d9-4e-6b.v2@rocky*.de" (4) suffix: No such realm "rocky*.de" (4) [suffix] = noop (4) eap_ikev2: Peer sent EAP Response (code 2) ID 4 length 6 (4) eap_ikev2: No EAP Start, assuming it's an on-going EAP conversation (4) [eap_ikev2] = updated (4) [files] = noop (4) [expiration] = noop (4) [logintime] = noop (4) } # authorize = updated (4) Found Auth-Type = eap_ikev2 (4) # Executing group from file /etc/raddb/sites-enabled/default-ikev2 (4) authenticate { (4) eap_ikev2: Expiring EAP session with state 0xacf2fb4eaff6f600 (4) eap_ikev2: Finished EAP session with state 0xacf2fb4eaff6f600 (4) eap_ikev2: Previous EAP request found for state 0xacf2fb4eaff6f600, released from the list (4) eap_ikev2: Peer sent packet with method EAP TLS (13) (4) eap_ikev2: Calling submodule eap_tls to process data (4) eap_tls: Continuing EAP-TLS (4) eap_tls: Peer ACKed our handshake fragment (4) eap_tls: [eaptls verify] = request (4) eap_tls: [eaptls process] = handled (4) eap_ikev2: Sending EAP Request (code 1) ID 5 length 1004 (4) eap_ikev2: EAP session adding &reply:State = 0xacf2fb4ea8f7f600 (4) [eap_ikev2] = handled (4) } # authenticate = handled (4) Using Post-Auth-Type Challenge (4) # Executing group from file /etc/raddb/sites-enabled/default-ikev2 (4) Challenge { ... } # empty sub-section is ignored (4) Sent Access-Challenge Id 164 from 10.0.3.11:1812 to 10.0.3.1:49907 length 0 (4) EAP-Message = 0x010503ec0dc00000114d726c300d06092a864886f70d01010b050003820201004d16e5940c9dadc1ff51f433f49ac669b7fda840ec7cc76fd160fddf8ee93da413d9b60d0a7d717ff1d650f830a3b007b43f0074b35f2e0519509030b8a1701082c6062aa79dd06b5929832183bff431a03f54d314f564ad4bcd601f690305dbabcdaf574c6cc1afc9c115ef1a8dc8775f210fa0022399862a93efd15f534937a9ef10a2fefcbccfbeffb4731b06498f7ee74204d012d0ec90c20fae0c8eacdc53889832ec4acdd65bdaa017c2b4883a619119ba24580b6340cf3767a2a0156061d897322f6f223867ef80b8ad5f6adfa008f3bf1335c86e8266e9c506505085920681fdf7375e7f33ca19867c1789a4d2fb9b837e70bb2bdb66dd40953319b9b96a80e833a080fef97fc3eb7686214f3088e820f5a24ca49cb86c0a3bf985f9d9f69eafb152a7e2d2f20bd8d373267273ed8d3a521f0f4ef9188637d170e2151ce9d7b934d5c3c5d682ae731986ec0dc7e1ccd5431318 (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0xacf2fb4ea8f7f6007bce43a934f32d81 (4) Finished request Waking up in 2.8 seconds. (5) Received Access-Request Id 165 from 10.0.3.1:49907 to 10.0.3.11:1812 length 197 (5) User-Name = "c4-b3-01-d9-4e-6b.v2@rocky*.de" (5) NAS-Port-Type = Virtual (5) Service-Type = Framed-User (5) NAS-Port = 35 (5) NAS-Port-Id = "con-mobile" (5) NAS-IP-Address = 10.0.1.22 (5) Called-Station-Id = "10.0.1.22[4500]" (5) Calling-Station-Id = "91.224.227.248[43805]" (5) EAP-Message = 0x020500060d00 (5) NAS-Identifier = "strongSwan" (5) State = 0xacf2fb4ea8f7f6007bce43a934f32d81 (5) Message-Authenticator = 0x93555875fb89751a632da5c70762db7c (5) session-state: No cached attributes (5) # Executing section authorize from file /etc/raddb/sites-enabled/default-ikev2 (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) [preprocess] = ok (5) [digest] = noop (5) suffix: Checking for suffix after "@" (5) suffix: Looking up realm "rocky*.de" for User-Name = "c4-b3-01-d9-4e-6b.v2@rocky*.de" (5) suffix: No such realm "rocky*.de" (5) [suffix] = noop (5) eap_ikev2: Peer sent EAP Response (code 2) ID 5 length 6 (5) eap_ikev2: No EAP Start, assuming it's an on-going EAP conversation (5) [eap_ikev2] = updated (5) [files] = noop (5) [expiration] = noop (5) [logintime] = noop (5) } # authorize = updated (5) Found Auth-Type = eap_ikev2 (5) # Executing group from file /etc/raddb/sites-enabled/default-ikev2 (5) authenticate { (5) eap_ikev2: Expiring EAP session with state 0xacf2fb4ea8f7f600 (5) eap_ikev2: Finished EAP session with state 0xacf2fb4ea8f7f600 (5) eap_ikev2: Previous EAP request found for state 0xacf2fb4ea8f7f600, released from the list (5) eap_ikev2: Peer sent packet with method EAP TLS (13) (5) eap_ikev2: Calling submodule eap_tls to process data (5) eap_tls: Continuing EAP-TLS (5) eap_tls: Peer ACKed our handshake fragment (5) eap_tls: [eaptls verify] = request (5) eap_tls: [eaptls process] = handled (5) eap_ikev2: Sending EAP Request (code 1) ID 6 length 463 (5) eap_ikev2: EAP session adding &reply:State = 0xacf2fb4ea9f4f600 (5) [eap_ikev2] = handled (5) } # authenticate = handled (5) Using Post-Auth-Type Challenge (5) # Executing group from file /etc/raddb/sites-enabled/default-ikev2 (5) Challenge { ... } # empty sub-section is ignored (5) Sent Access-Challenge Id 165 from 10.0.3.11:1812 to 10.0.3.1:49907 length 0 (5) EAP-Message = 0x010601cf0d800000114dfac759bb91accfa7b00b1faae409ae14c7038effb1f9c76b12884973e5195003d07c9a6eb08ca39316b3d9ecbaa39fb8af8b0a53ec24ba933f6e94c08575a830f1ec72873184d02485dd9aaea69b68543cb665511404e363d0610797ddd67c67e41e24b8fe3c2801aa05ca6af1b5b6658996b35c9a7c06dbca2a2f2c9cc3ca1c0a09df2cc8412785808714d96606bfadab12d8451a7ee164473451100e412e1eaebf4a44f5aa8ff2fdf3145bea019137cf82f72d138258309275ad3ebac8edd7379f7acce8521f6db47b16030300ed0d0000e903010240002e040305030603080708080809080a080b08040805080604010501060103030203030102010302020204020502060200b300b13081ae310b3009060355040613024445311f301d06035504080c164e6f727468205268696e652d576573747068616c69613114301206035504070c0b4475657373656c646f726631173015060355040a0c0e526f636b794d6f756e7461696e733120 (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0xacf2fb4ea9f4f6007bce43a934f32d81 (5) Finished request Waking up in 2.3 seconds. (6) Received Access-Request Id 166 from 10.0.3.1:49907 to 10.0.3.11:1812 length 1223 (6) User-Name = "c4-b3-01-d9-4e-6b.v2@rocky*.de" (6) NAS-Port-Type = Virtual (6) Service-Type = Framed-User (6) NAS-Port = 35 (6) NAS-Port-Id = "con-mobile" (6) NAS-IP-Address = 10.0.1.22 (6) Called-Station-Id = "10.0.1.22[4500]" (6) Calling-Station-Id = "91.224.227.248[43805]" (6) EAP-Message = 0x020604000dc00000100b1603030d370b000d33000d300005db308205d7308203bfa003020102020116300d06092a864886f70d01010b05003081ae310b3009060355040613024445311f301d06035504080c164e6f727468205268696e652d576573747068616c69613114301206035504070c0b4475657373656c646f726631173015060355040a0c0e526f636b794d6f756e7461696e733120301e06092a864886f70d010901161161646d696e406578616d706c652e6f7267312d302b06035504030c24526f636b794d6f756e7461696e7320436572746966696361746520417574686f72697479301e170d3139303532323139323530335a170d3339303531373139323530335a3078310b3009060355040613024445311f301d06035504080c164e6f727468205268696e652d576573747068616c696131173015060355040a0c0e526f636b794d6f756e7461696e73312f302d06035504030c2663342d62332d30312d64392d34652d36622e763240726f636b79 (6) NAS-Identifier = "strongSwan" (6) State = 0xacf2fb4ea9f4f6007bce43a934f32d81 (6) Message-Authenticator = 0xddd68acb4cf63644d7a7ea2bae3fb105 (6) session-state: No cached attributes (6) # Executing section authorize from file /etc/raddb/sites-enabled/default-ikev2 (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) [preprocess] = ok (6) [digest] = noop (6) suffix: Checking for suffix after "@" (6) suffix: Looking up realm "rocky*.de" for User-Name = "c4-b3-01-d9-4e-6b.v2@rocky*.de" (6) suffix: No such realm "rocky*.de" (6) [suffix] = noop (6) eap_ikev2: Peer sent EAP Response (code 2) ID 6 length 1024 (6) eap_ikev2: No EAP Start, assuming it's an on-going EAP conversation (6) [eap_ikev2] = updated (6) [files] = noop (6) [expiration] = noop (6) [logintime] = noop (6) } # authorize = updated (6) Found Auth-Type = eap_ikev2 (6) # Executing group from file /etc/raddb/sites-enabled/default-ikev2 (6) authenticate { (6) eap_ikev2: Expiring EAP session with state 0xacf2fb4ea9f4f600 (6) eap_ikev2: Finished EAP session with state 0xacf2fb4ea9f4f600 (6) eap_ikev2: Previous EAP request found for state 0xacf2fb4ea9f4f600, released from the list (6) eap_ikev2: Peer sent packet with method EAP TLS (13) (6) eap_ikev2: Calling submodule eap_tls to process data (6) eap_tls: Continuing EAP-TLS (6) eap_tls: Peer indicated complete TLS record size will be 4107 bytes (6) eap_tls: Expecting 5 TLS record fragments (6) eap_tls: Got first TLS record fragment (1014 bytes). Peer indicated more fragments to follow (6) eap_tls: [eaptls verify] = first fragment (6) eap_tls: ACKing Peer's TLS record fragment (6) eap_tls: [eaptls process] = handled (6) eap_ikev2: Sending EAP Request (code 1) ID 7 length 6 (6) eap_ikev2: EAP session adding &reply:State = 0xacf2fb4eaaf5f600 (6) [eap_ikev2] = handled (6) } # authenticate = handled (6) Using Post-Auth-Type Challenge (6) # Executing group from file /etc/raddb/sites-enabled/default-ikev2 (6) Challenge { ... } # empty sub-section is ignored (6) Sent Access-Challenge Id 166 from 10.0.3.11:1812 to 10.0.3.1:49907 length 0 (6) EAP-Message = 0x010700060d00 (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0xacf2fb4eaaf5f6007bce43a934f32d81 (6) Finished request Waking up in 1.7 seconds. (7) Received Access-Request Id 167 from 10.0.3.1:49907 to 10.0.3.11:1812 length 1223 (7) User-Name = "c4-b3-01-d9-4e-6b.v2@rocky*.de" (7) NAS-Port-Type = Virtual (7) Service-Type = Framed-User (7) NAS-Port = 35 (7) NAS-Port-Id = "con-mobile" (7) NAS-IP-Address = 10.0.1.22 (7) Called-Station-Id = "10.0.1.22[4500]" (7) Calling-Station-Id = "91.224.227.248[43805]" (7) EAP-Message = 0x020704000d40d35c29ad66ffb34ee298a084abab8ee3c09f66b69b55ad34277075bca6685b24c9edcbebe1b7830f2b9959019971cf261528acac4205a69ee11ddf59c89e858084d748bfc574dc9c54c9146bf36d5f6c355e36c21f1b3d36811e3c01b3f2cb3c46ff0d69cba52643b5105fc002ffc7e76381e9f6ffab964359bc6c880c23075bf55903bbfbb89a934a15866cb5deb070ffda08583aebf3830d3af3d8a068b18595a7009e5beea07ba4700cf8c7040f7dec8825d3df3c1c07571f4cbf4d129db319cfa36cc8d8250a7a5995a753be915d3545f292ec9a03ab88080a545ec0f3ce77e452e0a0a218ec3c205f6ff87577c80f517ef22e3221333a78fcb90c686c30402fb3bd92b591172e372c82e9c0eed6f414a938abf129830a964e3c299b2c8fabd74037cc14135535283ab964a8d43b5db305fa2d753de213af754cc74ac9b749dc2d123246c65616f2952e6d249ad4463830c7278fafc16f73095aa9ebb5faee18de638cd6f8f39d30ea0f3fd3b911a7 (7) NAS-Identifier = "strongSwan" (7) State = 0xacf2fb4eaaf5f6007bce43a934f32d81 (7) Message-Authenticator = 0x09a6dc4fe573323c26fd2e2765930906 (7) session-state: No cached attributes (7) # Executing section authorize from file /etc/raddb/sites-enabled/default-ikev2 (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) [preprocess] = ok (7) [digest] = noop (7) suffix: Checking for suffix after "@" (7) suffix: Looking up realm "rocky*.de" for User-Name = "c4-b3-01-d9-4e-6b.v2@rocky*.de" (7) suffix: No such realm "rocky*.de" (7) [suffix] = noop (7) eap_ikev2: Peer sent EAP Response (code 2) ID 7 length 1024 (7) eap_ikev2: No EAP Start, assuming it's an on-going EAP conversation (7) [eap_ikev2] = updated (7) [files] = noop (7) [expiration] = noop (7) [logintime] = noop (7) } # authorize = updated (7) Found Auth-Type = eap_ikev2 (7) # Executing group from file /etc/raddb/sites-enabled/default-ikev2 (7) authenticate { (7) eap_ikev2: Expiring EAP session with state 0xacf2fb4eaaf5f600 (7) eap_ikev2: Finished EAP session with state 0xacf2fb4eaaf5f600 (7) eap_ikev2: Previous EAP request found for state 0xacf2fb4eaaf5f600, released from the list (7) eap_ikev2: Peer sent packet with method EAP TLS (13) (7) eap_ikev2: Calling submodule eap_tls to process data (7) eap_tls: Continuing EAP-TLS (7) eap_tls: Got additional TLS record fragment (1018 bytes). Peer indicated more fragments to follow (7) eap_tls: [eaptls verify] = more fragments (7) eap_tls: ACKing Peer's TLS record fragment (7) eap_tls: [eaptls process] = handled (7) eap_ikev2: Sending EAP Request (code 1) ID 8 length 6 (7) eap_ikev2: EAP session adding &reply:State = 0xacf2fb4eabfaf600 (7) [eap_ikev2] = handled (7) } # authenticate = handled (7) Using Post-Auth-Type Challenge (7) # Executing group from file /etc/raddb/sites-enabled/default-ikev2 (7) Challenge { ... } # empty sub-section is ignored (7) Sent Access-Challenge Id 167 from 10.0.3.11:1812 to 10.0.3.1:49907 length 0 (7) EAP-Message = 0x010800060d00 (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0xacf2fb4eabfaf6007bce43a934f32d81 (7) Finished request Waking up in 1.2 seconds. (8) Received Access-Request Id 168 from 10.0.3.1:49907 to 10.0.3.11:1812 length 1223 (8) User-Name = "c4-b3-01-d9-4e-6b.v2@rocky*.de" (8) NAS-Port-Type = Virtual (8) Service-Type = Framed-User (8) NAS-Port = 35 (8) NAS-Port-Id = "con-mobile" (8) NAS-IP-Address = 10.0.1.22 (8) Called-Station-Id = "10.0.1.22[4500]" (8) Calling-Station-Id = "91.224.227.248[43805]" (8) EAP-Message = 0x020804000d40a76419a13a9888db494f18c3a89bdddef5f5ec4acfde2a81144fc88098403d5807976c6c275a41b66f87efd20b1c141a8a82cb55b8aea53c165cd02eb23e7f6b69c123ac5e39343b89d2039c6a0f16cb6b723906a9bdd2430c1c1654a7f229816d28f8db857700da3f189b239b6f4514b98b41a884905ba101715d04373ddbc16ef4269c534a1f593d1e434890676423f20d9798f0179e54fc47650202da8faaa3e1389437978c1d825aa4971af315bc1cf777197c8b5ec2d661f422fbb3d5edd1327823914075b85165cc3a3b7327a94f0df62e67fcdff734f78eb881b27464b7f9095b52494eacf439fd4faec8d418c720c0ee7c38b2a2008b6b3706e7beb4a5789b2670628164ef095faa97033065afde430f25cedd8e6a798a2a0c7e4b339f0a5b5168bbb2142978797abd9d4727ca64eadfc3a3483562210051e7bf6fc2d72ec03972978e0cb300f22145f25d6ec0bb03775183d3664d9686d22a5a7ffb7e431a649a6335186af85f28a304461cb7 (8) NAS-Identifier = "strongSwan" (8) State = 0xacf2fb4eabfaf6007bce43a934f32d81 (8) Message-Authenticator = 0x38aed0c1045162da3bc2b4d2eca885a6 (8) session-state: No cached attributes (8) # Executing section authorize from file /etc/raddb/sites-enabled/default-ikev2 (8) authorize { (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = notfound (8) } # policy filter_username = notfound (8) [preprocess] = ok (8) [digest] = noop (8) suffix: Checking for suffix after "@" (8) suffix: Looking up realm "rocky*.de" for User-Name = "c4-b3-01-d9-4e-6b.v2@rocky*.de" (8) suffix: No such realm "rocky*.de" (8) [suffix] = noop (8) eap_ikev2: Peer sent EAP Response (code 2) ID 8 length 1024 (8) eap_ikev2: No EAP Start, assuming it's an on-going EAP conversation (8) [eap_ikev2] = updated (8) [files] = noop (8) [expiration] = noop (8) [logintime] = noop (8) } # authorize = updated (8) Found Auth-Type = eap_ikev2 (8) # Executing group from file /etc/raddb/sites-enabled/default-ikev2 (8) authenticate { (8) eap_ikev2: Expiring EAP session with state 0xacf2fb4eabfaf600 (8) eap_ikev2: Finished EAP session with state 0xacf2fb4eabfaf600 (8) eap_ikev2: Previous EAP request found for state 0xacf2fb4eabfaf600, released from the list (8) eap_ikev2: Peer sent packet with method EAP TLS (13) (8) eap_ikev2: Calling submodule eap_tls to process data (8) eap_tls: Continuing EAP-TLS (8) eap_tls: Got additional TLS record fragment (1018 bytes). Peer indicated more fragments to follow (8) eap_tls: [eaptls verify] = more fragments (8) eap_tls: ACKing Peer's TLS record fragment (8) eap_tls: [eaptls process] = handled (8) eap_ikev2: Sending EAP Request (code 1) ID 9 length 6 (8) eap_ikev2: EAP session adding &reply:State = 0xacf2fb4ea4fbf600 (8) [eap_ikev2] = handled (8) } # authenticate = handled (8) Using Post-Auth-Type Challenge (8) # Executing group from file /etc/raddb/sites-enabled/default-ikev2 (8) Challenge { ... } # empty sub-section is ignored (8) Sent Access-Challenge Id 168 from 10.0.3.11:1812 to 10.0.3.1:49907 length 0 (8) EAP-Message = 0x010900060d00 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) State = 0xacf2fb4ea4fbf6007bce43a934f32d81 (8) Finished request Waking up in 0.7 seconds. (9) Received Access-Request Id 169 from 10.0.3.1:49907 to 10.0.3.11:1812 length 1223 (9) User-Name = "c4-b3-01-d9-4e-6b.v2@rocky*.de" (9) NAS-Port-Type = Virtual (9) Service-Type = Framed-User (9) NAS-Port = 35 (9) NAS-Port-Id = "con-mobile" (9) NAS-IP-Address = 10.0.1.22 (9) Called-Station-Id = "10.0.1.22[4500]" (9) Calling-Station-Id = "91.224.227.248[43805]" (9) EAP-Message = 0x020904000d40883a619119ba24580b6340cf3767a2a0156061d897322f6f223867ef80b8ad5f6adfa008f3bf1335c86e8266e9c506505085920681fdf7375e7f33ca19867c1789a4d2fb9b837e70bb2bdb66dd40953319b9b96a80e833a080fef97fc3eb7686214f3088e820f5a24ca49cb86c0a3bf985f9d9f69eafb152a7e2d2f20bd8d373267273ed8d3a521f0f4ef9188637d170e2151ce9d7b934d5c3c5d682ae731986ec0dc7e1ccd5431318660b65c36fc48989e2f20c6fd67f12472fd29c9150deef1af5eb9329c40c25dc73a48c83c4ec0258a78939e6fa3c3a2310dcd60a70730f64ae7cd7ca0e9f9f9f7585d3722439c1e378052999942e429106d79b4ba248d52405caa9146ab7872c02fec7b399067b6e5e6c250e03b7a604e0730b8bcdbaee3030b9b6607835b73e68161b72cb26b4fc20f783373ec3c2b52b110e10891002d65025aa7258fbff10d9c505fc3df55c815c160303008a10000086850400f3fd568561e8dcf387bf4e4fc8e0447b56353f (9) NAS-Identifier = "strongSwan" (9) State = 0xacf2fb4ea4fbf6007bce43a934f32d81 (9) Message-Authenticator = 0x100c287c2e47ae4ae69fa44bb5d735b3 (9) session-state: No cached attributes (9) # Executing section authorize from file /etc/raddb/sites-enabled/default-ikev2 (9) authorize { (9) policy filter_username { (9) if (&User-Name) { (9) if (&User-Name) -> TRUE (9) if (&User-Name) { (9) if (&User-Name =~ / /) { (9) if (&User-Name =~ / /) -> FALSE (9) if (&User-Name =~ /@[^@]*@/ ) { (9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (9) if (&User-Name =~ /\.\./ ) { (9) if (&User-Name =~ /\.\./ ) -> FALSE (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (9) if (&User-Name =~ /\.$/) { (9) if (&User-Name =~ /\.$/) -> FALSE (9) if (&User-Name =~ /@\./) { (9) if (&User-Name =~ /@\./) -> FALSE (9) } # if (&User-Name) = notfound (9) } # policy filter_username = notfound (9) [preprocess] = ok (9) [digest] = noop (9) suffix: Checking for suffix after "@" (9) suffix: Looking up realm "rocky*.de" for User-Name = "c4-b3-01-d9-4e-6b.v2@rocky*.de" (9) suffix: No such realm "rocky*.de" (9) [suffix] = noop (9) eap_ikev2: Peer sent EAP Response (code 2) ID 9 length 1024 (9) eap_ikev2: No EAP Start, assuming it's an on-going EAP conversation (9) [eap_ikev2] = updated (9) [files] = noop (9) [expiration] = noop (9) [logintime] = noop (9) } # authorize = updated (9) Found Auth-Type = eap_ikev2 (9) # Executing group from file /etc/raddb/sites-enabled/default-ikev2 (9) authenticate { (9) eap_ikev2: Expiring EAP session with state 0xacf2fb4ea4fbf600 (9) eap_ikev2: Finished EAP session with state 0xacf2fb4ea4fbf600 (9) eap_ikev2: Previous EAP request found for state 0xacf2fb4ea4fbf600, released from the list (9) eap_ikev2: Peer sent packet with method EAP TLS (13) (9) eap_ikev2: Calling submodule eap_tls to process data (9) eap_tls: Continuing EAP-TLS (9) eap_tls: Got additional TLS record fragment (1018 bytes). Peer indicated more fragments to follow (9) eap_tls: [eaptls verify] = more fragments (9) eap_tls: ACKing Peer's TLS record fragment (9) eap_tls: [eaptls process] = handled (9) eap_ikev2: Sending EAP Request (code 1) ID 10 length 6 (9) eap_ikev2: EAP session adding &reply:State = 0xacf2fb4ea5f8f600 (9) [eap_ikev2] = handled (9) } # authenticate = handled (9) Using Post-Auth-Type Challenge (9) # Executing group from file /etc/raddb/sites-enabled/default-ikev2 (9) Challenge { ... } # empty sub-section is ignored (9) Sent Access-Challenge Id 169 from 10.0.3.11:1812 to 10.0.3.1:49907 length 0 (9) EAP-Message = 0x010a00060d00 (9) Message-Authenticator = 0x00000000000000000000000000000000 (9) State = 0xacf2fb4ea5f8f6007bce43a934f32d81 (9) Finished request Waking up in 0.1 seconds. (0) Cleaning up request packet ID 160 with timestamp +55 Waking up in 0.7 seconds. (10) Received Access-Request Id 170 from 10.0.3.1:49907 to 10.0.3.11:1812 length 236 (10) User-Name = "c4-b3-01-d9-4e-6b.v2@rocky*.de" (10) NAS-Port-Type = Virtual (10) Service-Type = Framed-User (10) NAS-Port = 35 (10) NAS-Port-Id = "con-mobile" (10) NAS-IP-Address = 10.0.1.22 (10) Called-Station-Id = "10.0.1.22[4500]" (10) Calling-Station-Id = "91.224.227.248[43805]" (10) EAP-Message = 0x020a002d0d004a57f4e6122bb9eb7dc3939a2ec508388f49acf2311ca0868cbba917d6b5a20080c7f83c80dd2c (10) NAS-Identifier = "strongSwan" (10) State = 0xacf2fb4ea5f8f6007bce43a934f32d81 (10) Message-Authenticator = 0x4779aa4f3b8fa7a1b28413bc58d091df (10) session-state: No cached attributes (10) # Executing section authorize from file /etc/raddb/sites-enabled/default-ikev2 (10) authorize { (10) policy filter_username { (10) if (&User-Name) { (10) if (&User-Name) -> TRUE (10) if (&User-Name) { (10) if (&User-Name =~ / /) { (10) if (&User-Name =~ / /) -> FALSE (10) if (&User-Name =~ /@[^@]*@/ ) { (10) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (10) if (&User-Name =~ /\.\./ ) { (10) if (&User-Name =~ /\.\./ ) -> FALSE (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (10) if (&User-Name =~ /\.$/) { (10) if (&User-Name =~ /\.$/) -> FALSE (10) if (&User-Name =~ /@\./) { (10) if (&User-Name =~ /@\./) -> FALSE (10) } # if (&User-Name) = notfound (10) } # policy filter_username = notfound (10) [preprocess] = ok (10) [digest] = noop (10) suffix: Checking for suffix after "@" (10) suffix: Looking up realm "rocky*.de" for User-Name = "c4-b3-01-d9-4e-6b.v2@rocky*.de" (10) suffix: No such realm "rocky*.de" (10) [suffix] = noop (10) eap_ikev2: Peer sent EAP Response (code 2) ID 10 length 45 (10) eap_ikev2: No EAP Start, assuming it's an on-going EAP conversation (10) [eap_ikev2] = updated (10) [files] = noop (10) [expiration] = noop (10) [logintime] = noop (10) } # authorize = updated (10) Found Auth-Type = eap_ikev2 (10) # Executing group from file /etc/raddb/sites-enabled/default-ikev2 (10) authenticate { (10) eap_ikev2: Expiring EAP session with state 0xacf2fb4ea5f8f600 (10) eap_ikev2: Finished EAP session with state 0xacf2fb4ea5f8f600 (10) eap_ikev2: Previous EAP request found for state 0xacf2fb4ea5f8f600, released from the list (10) eap_ikev2: Peer sent packet with method EAP TLS (13) (10) eap_ikev2: Calling submodule eap_tls to process data (10) eap_tls: Continuing EAP-TLS (10) eap_tls: Got final TLS record fragment (39 bytes) (10) eap_tls: [eaptls verify] = ok (10) eap_tls: Done initial handshake (10) eap_tls: TLS_accept: SSLv3/TLS write server done (10) eap_tls: <<< recv TLS 1.2 [length 0d37] (10) eap_tls: TLS - Creating attributes from certificate OIDs (10) eap_tls: TLS-Cert-Serial := "0b49247a7915c706a5a259bdcd2f8fdc91b3006b" (10) eap_tls: TLS-Cert-Expiration := "390217003004Z" (10) eap_tls: TLS-Cert-Subject := "/C=DE/ST=region/L=city/O=Rocky*/emailAddress=admin@example.org/CN=Rocky* Certificate Authority" (10) eap_tls: TLS-Cert-Issuer := "/C=DE/ST=region/L=city/O=Rocky*/emailAddress=admin@example.org/CN=Rocky* Certificate Authority" (10) eap_tls: TLS-Cert-Common-Name := "Rocky* Certificate Authority" (10) eap_tls: TLS - Creating attributes from certificate OIDs (10) eap_tls: TLS-Client-Cert-Serial := "16" (10) eap_tls: TLS-Client-Cert-Expiration := "390517192503Z" (10) eap_tls: TLS-Client-Cert-Subject := "/C=DE/ST=region/O=Rocky*/CN=c4-b3-01-d9-4e-6b.v2@rocky*.de" (10) eap_tls: TLS-Client-Cert-Issuer := "/C=DE/ST=region/L=city/O=Rocky*/emailAddress=admin@example.org/CN=Rocky* Certificate Authority" (10) eap_tls: TLS-Client-Cert-Common-Name := "c4-b3-01-d9-4e-6b.v2@rocky*.de" (10) eap_tls: TLS-Client-Cert-Subject-Alt-Name-Email := "c4-b3-01-d9-4e-6b.v2@rocky*.de" (10) eap_tls: EXPAND %{User-Name} (10) eap_tls: --> c4-b3-01-d9-4e-6b.v2@rocky*.de (10) eap_tls: checking certificate CN (c4-b3-01-d9-4e-6b.v2@rocky*.de) with xlat'ed value (c4-b3-01-d9-4e-6b.v2@rocky*.de) (10) eap_tls: TLS_accept: SSLv3/TLS read client certificate (10) eap_tls: <<< recv TLS 1.2 [length 008a] (10) eap_tls: TLS_accept: SSLv3/TLS read client key exchange (10) eap_tls: <<< recv TLS 1.2 [length 0208] (10) eap_tls: TLS_accept: SSLv3/TLS read certificate verify (10) eap_tls: TLS_accept: SSLv3/TLS read change cipher spec (10) eap_tls: <<< recv TLS 1.2 [length 0010] (10) eap_tls: TLS_accept: SSLv3/TLS read finished (10) eap_tls: >>> send TLS 1.2 [length 0001] (10) eap_tls: TLS_accept: SSLv3/TLS write change cipher spec (10) eap_tls: >>> send TLS 1.2 [length 0010] (10) eap_tls: TLS_accept: SSLv3/TLS write finished (10) eap_tls: Serialising session 168b7c6f0ad47c8bb0a7c2d9186cea31c162710839a5584a4a143160fc97883e, and storing in cache (10) eap_tls: WARNING: Wrote session 168b7c6f0ad47c8bb0a7c2d9186cea31c162710839a5584a4a143160fc97883e to /var/lib/radiusd/tlscache/168b7c6f0ad47c8bb0a7c2d9186cea31c162710839a5584a4a143160fc97883e.asn1 (1640 bytes) (10) eap_tls: (other): SSL negotiation finished successfully (10) eap_tls: TLS - Connection Established (10) eap_tls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (10) eap_tls: TLS-Session-Version = "TLS 1.2" (10) eap_tls: TLS - got 51 bytes of data (10) eap_tls: [eaptls process] = handled (10) eap_ikev2: Sending EAP Request (code 1) ID 11 length 61 (10) eap_ikev2: EAP session adding &reply:State = 0xacf2fb4ea6f9f600 (10) [eap_ikev2] = handled (10) } # authenticate = handled (10) Using Post-Auth-Type Challenge (10) # Executing group from file /etc/raddb/sites-enabled/default-ikev2 (10) Challenge { ... } # empty sub-section is ignored (10) session-state: Saving cached attributes (10) TLS-Cache-Filename = "/var/lib/radiusd/tlscache/168b7c6f0ad47c8bb0a7c2d9186cea31c162710839a5584a4a143160fc97883e.asn1" (10) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (10) TLS-Session-Version = "TLS 1.2" (10) Sent Access-Challenge Id 170 from 10.0.3.11:1812 to 10.0.3.1:49907 length 0 (10) EAP-Message = 0x010b003d0d8000000033140303000101160303002814028c77bb2d18e1638e5b8193cd6b430e231605acb6c51ecc90c7fffba04d900a1b6c5f67834084 (10) Message-Authenticator = 0x00000000000000000000000000000000 (10) State = 0xacf2fb4ea6f9f6007bce43a934f32d81 (10) Finished request Waking up in 0.2 seconds. (1) Cleaning up request packet ID 161 with timestamp +56 Waking up in 0.5 seconds. (11) Received Access-Request Id 171 from 10.0.3.1:49907 to 10.0.3.11:1812 length 197 (11) User-Name = "c4-b3-01-d9-4e-6b.v2@rocky*.de" (11) NAS-Port-Type = Virtual (11) Service-Type = Framed-User (11) NAS-Port = 35 (11) NAS-Port-Id = "con-mobile" (11) NAS-IP-Address = 10.0.1.22 (11) Called-Station-Id = "10.0.1.22[4500]" (11) Calling-Station-Id = "91.224.227.248[43805]" (11) EAP-Message = 0x020b00060d00 (11) NAS-Identifier = "strongSwan" (11) State = 0xacf2fb4ea6f9f6007bce43a934f32d81 (11) Message-Authenticator = 0x9ae1501b3cc6a3a0a844b436fdf21037 (11) Restoring &session-state (11) &session-state:TLS-Cache-Filename = "/var/lib/radiusd/tlscache/168b7c6f0ad47c8bb0a7c2d9186cea31c162710839a5584a4a143160fc97883e.asn1" (11) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (11) &session-state:TLS-Session-Version = "TLS 1.2" (11) # Executing section authorize from file /etc/raddb/sites-enabled/default-ikev2 (11) authorize { (11) policy filter_username { (11) if (&User-Name) { (11) if (&User-Name) -> TRUE (11) if (&User-Name) { (11) if (&User-Name =~ / /) { (11) if (&User-Name =~ / /) -> FALSE (11) if (&User-Name =~ /@[^@]*@/ ) { (11) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (11) if (&User-Name =~ /\.\./ ) { (11) if (&User-Name =~ /\.\./ ) -> FALSE (11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (11) if (&User-Name =~ /\.$/) { (11) if (&User-Name =~ /\.$/) -> FALSE (11) if (&User-Name =~ /@\./) { (11) if (&User-Name =~ /@\./) -> FALSE (11) } # if (&User-Name) = notfound (11) } # policy filter_username = notfound (11) [preprocess] = ok (11) [digest] = noop (11) suffix: Checking for suffix after "@" (11) suffix: Looking up realm "rocky*.de" for User-Name = "c4-b3-01-d9-4e-6b.v2@rocky*.de" (11) suffix: No such realm "rocky*.de" (11) [suffix] = noop (11) eap_ikev2: Peer sent EAP Response (code 2) ID 11 length 6 (11) eap_ikev2: No EAP Start, assuming it's an on-going EAP conversation (11) [eap_ikev2] = updated (11) [files] = noop (11) [expiration] = noop (11) [logintime] = noop (11) } # authorize = updated (11) Found Auth-Type = eap_ikev2 (11) # Executing group from file /etc/raddb/sites-enabled/default-ikev2 (11) authenticate { (11) eap_ikev2: Expiring EAP session with state 0xacf2fb4ea6f9f600 (11) eap_ikev2: Finished EAP session with state 0xacf2fb4ea6f9f600 (11) eap_ikev2: Previous EAP request found for state 0xacf2fb4ea6f9f600, released from the list (11) eap_ikev2: Peer sent packet with method EAP TLS (13) (11) eap_ikev2: Calling submodule eap_tls to process data (11) eap_tls: Continuing EAP-TLS (11) eap_tls: Peer ACKed our handshake fragment. handshake is finished (11) eap_tls: [eaptls verify] = success (11) eap_tls: [eaptls process] = success (11) eap_tls: caching TLS-Cert-Serial := "0b49247a7915c706a5a259bdcd2f8fdc91b3006b" (11) eap_tls: caching TLS-Cert-Expiration := "390217003004Z" (11) eap_tls: caching TLS-Cert-Subject := "/C=DE/ST=region/L=city/O=Rocky*/emailAddress=admin@example.org/CN=Rocky* Certificate Authority" (11) eap_tls: caching TLS-Cert-Issuer := "/C=DE/ST=region/L=city/O=Rocky*/emailAddress=admin@example.org/CN=Rocky* Certificate Authority" (11) eap_tls: caching TLS-Cert-Common-Name := "Rocky* Certificate Authority" (11) eap_tls: caching TLS-Client-Cert-Serial := "16" (11) eap_tls: caching TLS-Client-Cert-Expiration := "390517192503Z" (11) eap_tls: caching TLS-Client-Cert-Subject := "/C=DE/ST=region/O=Rocky*/CN=c4-b3-01-d9-4e-6b.v2@rocky*.de" (11) eap_tls: caching TLS-Client-Cert-Issuer := "/C=DE/ST=region/L=city/O=Rocky*/emailAddress=admin@example.org/CN=Rocky* Certificate Authority" (11) eap_tls: caching TLS-Client-Cert-Common-Name := "c4-b3-01-d9-4e-6b.v2@rocky*.de" (11) eap_tls: caching TLS-Client-Cert-Subject-Alt-Name-Email := "c4-b3-01-d9-4e-6b.v2@rocky*.de" (11) eap_tls: Saving session 168b7c6f0ad47c8bb0a7c2d9186cea31c162710839a5584a4a143160fc97883e in the disk cache (11) eap_ikev2: Sending EAP Success (code 3) ID 11 length 4 (11) eap_ikev2: Freeing handler (11) [eap_ikev2] = ok (11) } # authenticate = ok (11) # Executing section post-auth from file /etc/raddb/sites-enabled/default-ikev2 (11) post-auth { (11) update { (11) &reply::TLS-Cache-Filename += &session-state:TLS-Cache-Filename[*] -> '/var/lib/radiusd/tlscache/168b7c6f0ad47c8bb0a7c2d9186cea31c162710839a5584a4a143160fc97883e.asn1' (11) &reply::TLS-Session-Cipher-Suite += &session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES256-GCM-SHA384' (11) &reply::TLS-Session-Version += &session-state:TLS-Session-Version[*] -> 'TLS 1.2' (11) } # update = noop (11) [exec] = noop (11) policy remove_reply_message_if_eap { (11) if (&reply:EAP-Message && &reply:Reply-Message) { (11) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (11) else { (11) [noop] = noop (11) } # else = noop (11) } # policy remove_reply_message_if_eap = noop (11) } # post-auth = noop (11) Login OK: [c4-b3-01-d9-4e-6b.v2@rocky*.de] (from client Rocky* port 35 cli 91.224.227.248[43805]) (11) Sent Access-Accept Id 171 from 10.0.3.11:1812 to 10.0.3.1:49907 length 0 (11) MS-MPPE-Recv-Key = 0x8140e941006bc8cbd9532294b7b2587caf0daac34f3ba67d730af5562557b7c0 (11) MS-MPPE-Send-Key = 0xd4a5027039e6c49b4ad749abad52910435f1010116102ef95cea4808cdf9918d (11) EAP-Message = 0x030b0004 (11) Message-Authenticator = 0x00000000000000000000000000000000 (11) User-Name = "c4-b3-01-d9-4e-6b.v2@rocky*.de" (11) Finished request Waking up in 0.3 seconds. (2) Cleaning up request packet ID 162 with timestamp +57 Waking up in 0.5 seconds. (12) Received Accounting-Request Id 172 from 10.0.3.1:63156 to 10.0.3.11:1813 length 180 (12) Acct-Status-Type = Start (12) Acct-Session-Id = "1563876546-35" (12) NAS-Port-Type = Virtual (12) Service-Type = Framed-User (12) NAS-Port = 35 (12) NAS-Port-Id = "con-mobile" (12) NAS-IP-Address = 10.0.1.22 (12) Called-Station-Id = "10.0.1.22[4500]" (12) Calling-Station-Id = "91.224.227.248[43805]" (12) User-Name = "c4-b3-01-d9-4e-6b.v2@rocky*.de" (12) Framed-IP-Address = 10.0.4.1 (12) NAS-Identifier = "strongSwan" (12) # Executing section preacct from file /etc/raddb/sites-enabled/default-ikev2 (12) preacct { (12) [preprocess] = ok (12) policy acct_unique { (12) update request { (12) &Tmp-String-9 := "ai:" (12) } # update request = noop (12) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) { (12) EXPAND %{hex:&Class} (12) --> (12) EXPAND ^%{hex:&Tmp-String-9} (12) --> ^61693a (12) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE (12) else { (12) update request { (12) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}} (12) --> 63a6a17b6051bdcee0b57a043e6e63c4 (12) &Acct-Unique-Session-Id := 63a6a17b6051bdcee0b57a043e6e63c4 (12) } # update request = noop (12) } # else = noop (12) } # policy acct_unique = noop (12) suffix: Checking for suffix after "@" (12) suffix: Looking up realm "rocky*.de" for User-Name = "c4-b3-01-d9-4e-6b.v2@rocky*.de" (12) suffix: No such realm "rocky*.de" (12) [suffix] = noop (12) [files] = noop (12) } # preacct = ok (12) # Executing section accounting from file /etc/raddb/sites-enabled/default-ikev2 (12) accounting { (12) detail: EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d (12) detail: --> /var/log/radius/radacct/10.0.3.1/detail-20190723 (12) detail: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/radius/radacct/10.0.3.1/detail-20190723 (12) detail: EXPAND %t (12) detail: --> Tue Jul 23 12:40:35 2019 (12) [detail] = ok (12) [unix] = ok (12) [exec] = noop (12) attr_filter.accounting_response: EXPAND %{User-Name} (12) attr_filter.accounting_response: --> c4-b3-01-d9-4e-6b.v2@rocky*.de (12) attr_filter.accounting_response: Matched entry DEFAULT at line 12 (12) [attr_filter.accounting_response] = updated (12) } # accounting = updated (12) Sent Accounting-Response Id 172 from 10.0.3.11:1813 to 10.0.3.1:63156 length 0 (12) Finished request (12) Cleaning up request packet ID 172 with timestamp +62 Waking up in 0.4 seconds. (3) Cleaning up request packet ID 163 with timestamp +57 Waking up in 0.4 seconds. (4) Cleaning up request packet ID 164 with timestamp +58 Waking up in 0.4 seconds. (5) Cleaning up request packet ID 165 with timestamp +58 Waking up in 0.6 seconds. (6) Cleaning up request packet ID 166 with timestamp +59 Waking up in 0.5 seconds. (7) Cleaning up request packet ID 167 with timestamp +59 Waking up in 0.5 seconds. (8) Cleaning up request packet ID 168 with timestamp +60 Waking up in 0.5 seconds. (13) Received Accounting-Request Id 173 from 10.0.3.1:63156 to 10.0.3.11:1813 length 216 (13) Acct-Status-Type = Stop (13) Acct-Session-Id = "1563876546-35" (13) NAS-Port-Type = Virtual (13) Service-Type = Framed-User (13) NAS-Port = 35 (13) NAS-Port-Id = "con-mobile" (13) NAS-IP-Address = 10.0.1.22 (13) Called-Station-Id = "10.0.1.22[4500]" (13) Calling-Station-Id = "91.224.227.248[43805]" (13) User-Name = "c4-b3-01-d9-4e-6b.v2@rocky*.de" (13) Framed-IP-Address = 10.0.4.1 (13) Acct-Output-Octets = 4356 (13) Acct-Output-Packets = 7 (13) Acct-Input-Octets = 800 (13) Acct-Input-Packets = 8 (13) Acct-Session-Time = 3 (13) Acct-Terminate-Cause = User-Request (13) NAS-Identifier = "strongSwan" (13) # Executing section preacct from file /etc/raddb/sites-enabled/default-ikev2 (13) preacct { (13) [preprocess] = ok (13) policy acct_unique { (13) update request { (13) &Tmp-String-9 := "ai:" (13) } # update request = noop (13) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) { (13) EXPAND %{hex:&Class} (13) --> (13) EXPAND ^%{hex:&Tmp-String-9} (13) --> ^61693a (13) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE (13) else { (13) update request { (13) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}} (13) --> 63a6a17b6051bdcee0b57a043e6e63c4 (13) &Acct-Unique-Session-Id := 63a6a17b6051bdcee0b57a043e6e63c4 (13) } # update request = noop (13) } # else = noop (13) } # policy acct_unique = noop (13) suffix: Checking for suffix after "@" (13) suffix: Looking up realm "rocky*.de" for User-Name = "c4-b3-01-d9-4e-6b.v2@rocky*.de" (13) suffix: No such realm "rocky*.de" (13) [suffix] = noop (13) [files] = noop (13) } # preacct = ok (13) # Executing section accounting from file /etc/raddb/sites-enabled/default-ikev2 (13) accounting { (13) detail: EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d (13) detail: --> /var/log/radius/radacct/10.0.3.1/detail-20190723 (13) detail: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/radius/radacct/10.0.3.1/detail-20190723 (13) detail: EXPAND %t (13) detail: --> Tue Jul 23 12:40:38 2019 (13) [detail] = ok (13) [unix] = ok (13) [exec] = noop (13) attr_filter.accounting_response: EXPAND %{User-Name} (13) attr_filter.accounting_response: --> c4-b3-01-d9-4e-6b.v2@rocky*.de (13) attr_filter.accounting_response: Matched entry DEFAULT at line 12 (13) [attr_filter.accounting_response] = updated (13) } # accounting = updated (13) Sent Accounting-Response Id 173 from 10.0.3.11:1813 to 10.0.3.1:63156 length 0 (13) Finished request (13) Cleaning up request packet ID 173 with timestamp +65 Waking up in 0.2 seconds. (9) Cleaning up request packet ID 169 with timestamp +60 Waking up in 0.6 seconds. (10) Cleaning up request packet ID 170 with timestamp +61 Waking up in 0.4 seconds. (11) Cleaning up request packet ID 171 with timestamp +61 Ready to process requests