Below is the whole output. I have two questions: 1. Is this correct because I kinda think this is the problem. --> peap { default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = yes }
2. How can I tell what MSCHAPv2 didn't like about the previous packet? I still believe it is a password styled issue. I have tried NT hash, cleartext, etc. nothing works. Any help would be greatly appriecated! Thanks. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including configuration file /usr/local/etc/raddb/snmp.conf including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/sql.conf including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf including configuration file /usr/local/etc/raddb/sql/mysql/counter.conf including configuration file /usr/local/etc/raddb/policy.conf including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/default including dictionary file /usr/local/etc/raddb/dictionary main { prefix = "/usr/local" localstatedir = "/usr/local/var" logdir = "/usr/local/var/log/radius" libdir = "/usr/local/lib" radacctdir = "/usr/local/var/log/radius/radacct" hostname_lookups = no max_request_time = 120 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/usr/local/var/run/radiusd/radiusd.pid" checkrad = "/usr/local/sbin/checkrad" debug_level = 0 proxy_requests = yes security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 10.2.1.55 netmask = 24 require_message_authenticator = no secret = "inc123" nastype = "other" } client 172.27.10.0/24 { require_message_authenticator = no secret = "inc123" shortname = "172.27.10-network" } client 10.15.1.0/24 { require_message_authenticator = no secret = "inc123" shortname = "10.15.1-network" } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_check = "none" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = yes input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/usr/local/etc/raddb/certs/server.pem" certificate_file = "/usr/local/etc/raddb/certs/server.pem" CA_file = "/usr/local/etc/raddb/certs/ca.pem" private_key_password = "incnetworks" dh_file = "/usr/local/etc/raddb/certs/dh" random_file = "/usr/local/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/usr/local/etc/raddb/certs/bootstrap" } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = yes } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/usr/local/etc/raddb/huntgroups" hints = "/usr/local/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_ldap Module: Instantiating ldap ldap { server = "localhost" port = 389 password = "" identity = "" net_timeout = 1 timeout = 4 timelimit = 3 tls_mode = no start_tls = no tls_require_cert = "allow" tls { start_tls = no require_cert = "allow" } basedn = "dc=incnetworks,dc=com" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" password_attribute = "LDAPRADIUSPassword" auto_header = no access_attr_used_for_allow = yes groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupO fUniqueNames)(uniquemember=%{Ldap-UserDn})))" dictionary_mapping = "/usr/local/etc/raddb/ldap.attrmap" ldap_debug = 40 ldap_connections_number = 5 compare_check_items = no do_xlat = yes set_auth_type = yes } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: Over-riding set_auth_type, as there is no module ldap listed in the "authenticate" section. rlm_ldap: reading ldap<->radius mappings from file /usr/local/etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message conns: 0x917f948 Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/usr/local/etc/raddb/users" acctusersfile = "/usr/local/etc/raddb/acct_users" preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" compat = "no" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/usr/local/var/log/radius/radwtmp" } Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/usr/local/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "/usr/local/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = "/usr/local/etc/raddb/attrs.access_reject" key = "%{User-Name}" } } } radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. User-Name = "newME" NAS-IP-Address = 0.0.0.0 Framed-MTU = 1488 Called-Station-Id = "00:0c:84:02:a2:59" Calling-Station-Id = "00:1c:bf:86:6a:c4" NAS-Port-Type = Wireless-802.11 NAS-Identifier = "NAP" Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0201000a016e65774d45 Message-Authenticator = 0x196dd1b8cec5514107a36a5bac05e008 +- entering group authorize ++[preprocess] returns ok rlm_realm: No '@' in User-Name = "newME", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 1 length 10 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated rlm_ldap: - authorize rlm_ldap: performing user authorization for newME WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=newME) expand: dc=incnetworks,dc=com -> dc=incnetworks,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as / to localhost:389 rlm_ldap: waiting for bind result ... request done: ld 0x918b8d8 msgid 1 rlm_ldap: Bind was successful rlm_ldap: performing search in dc=incnetworks,dc=com, with filter (uid=newME) request done: ld 0x918b8d8 msgid 2 rlm_ldap: Added User-Password = william in check items rlm_ldap: looking for check items in directory... rlm_ldap: LDAP attribute radiusTunnelPrivateGroupId as RADIUS attribute Tunnel-Private-Group-Id:0 == "300" rlm_ldap: LDAP attribute radiusTunnelMediumType as RADIUS attribute Tunnel-Medium-Type:0 == IEEE-802 rlm_ldap: LDAP attribute radiusTunnelType as RADIUS attribute Tunnel-Type:0 == VLAN rlm_ldap: LDAP attribute ntPassword as RADIUS attribute NT-Password == 0x77696c6c69616d rlm_ldap: looking for reply items in directory... rlm_ldap: user newME authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rad_check_password: Found Auth-Type EAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5709d887570bc1bb8ae83da2d1a3b270 Finished request 0. Going to the next request Waking up in 4.9 seconds. User-Name = "newME" NAS-IP-Address = 0.0.0.0 Framed-MTU = 1488 Called-Station-Id = "00:0c:84:02:a2:59" Calling-Station-Id = "00:1c:bf:86:6a:c4" NAS-Port-Type = Wireless-802.11 NAS-Identifier = "NAP" Connect-Info = "CONNECT 11Mbps 802.11b" State = 0x5709d887570bc1bb8ae83da2d1a3b270 EAP-Message = 0x0202006a1900160301005f0100005b03014863dae5d75432419526716b23fb30267cbc133c 331a154fb249d9300860db3a00003400390038003500160013000a00330032002f0066000500 04006500640063006200610060001500120009001400110008000600030100 Message-Authenticator = 0xd29a5f613a0b34f71837d0809f9d4f31 +- entering group authorize ++[preprocess] returns ok rlm_realm: No '@' in User-Name = "newME", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 2 length 106 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 005f], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 08be], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange TLS_accept: SSLv3 write key exchange A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled EAP-Message = 0x0103040019c000000b2d160301004a0200004603014863dae370aecd4d502255cd2a84d641 b3691e6ad19845eb5de232d2cb59e7f9207829cefcb1e7a7a8525be4b0eab40cf8d4de729ef9 892ad5aaf2cd70e8698dab00390016030108be0b0008ba0008b70003cb308203c7308202afa0 03020102020101300d06092a864886f70d01010405003081a6310b3009060355040613025553 311330110603550408130a4e6577204a6572736579311430120603550407130b4c6f6e672042 72616e6368311a3018060355040a1311696e634e4554574f524b532c20496e632e3124302206 092a864886f70d010901161561646d696e40696e636e6574776f EAP-Message = 0x726b732e636f6d312a302806035504031321696e634e4554574f524b532043657274696669 6361746520417574686f72697479301e170d3038303632353137353535345a170d3039303632 353137353535345a30818d310b3009060355040613025553311330110603550408130a4e6577 204a6572736579311a3018060355040a1311696e634e4554574f524b532c20496e632e312730 250603550403131e696e634e4554574f524b5320536572766572204365727469666963617465 3124302206092a864886f70d010901161561646d696e40696e636e6574776f726b732e636f6d 30820122300d06092a864886f70d01010105000382010f003082 EAP-Message = 0x010a0282010100b8bee7171eb400a47c91f548021e04d1f229b4d1e0d5c849db759be47184 e786cea4d36c21fbf989d4092ec2205954bc529e27fdbda7a1bc42473e5ecd0eff940e153fac 67e0fe4fa96550f3abfbc04077c0fe90b5a458d23e8322caafacdd8fb22b801fee24ae9ca6dc bbe52573f8541e7abb083e5ff355cf103312e03ce557b4a8bab706a07d7d91518e8bd2bdd8f7 056ca64dfc784195f39f17295a289937b831990bf3aedf68dd14881d381c5ba11e0205f45cc3 2c2b731f22aa1ad569f26660a4f0e9186168dfc52fdecd30649038fe79d856ec5bca5429d4ca ae5312f4d7212272ed33f9960e796e2147b1466bc5d60ffa5a42 EAP-Message = 0x357ce9865d86800b2c430203010001a317301530130603551d25040c300a06082b06010505 070301300d06092a864886f70d010104050003820101002547cd57ee76bd9b515194c765e0f5 29c96d7bed1c30873662dd6ae39b45451045eb4d7a10ec93b94f79d16eed1a074eaf5152275d 1bca6aae8c9bc03be921407d4f1cc39feb61f3c46c9c6b212bc1a3db44eeb494cc59865c774b 70e50ade1ff4a873bc8f20ddb38ac5fa6eef4716fe912875a87ab4f2ad18f63c86fb9d3dce67 94fa514be846f3e820fbf94c3723c589b3973df4ac9f90b859da63ef1638c6b8ba61ef04eb30 d4c431c18066571a06ae9c89467f5bedf1788e8224a8eed64614 EAP-Message = 0xed648d2c9c9750f70291603c Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5709d887560ac1bb8ae83da2d1a3b270 Finished request 1. Going to the next request Waking up in 4.9 seconds. User-Name = "newME" NAS-IP-Address = 0.0.0.0 Framed-MTU = 1488 Called-Station-Id = "00:0c:84:02:a2:59" Calling-Station-Id = "00:1c:bf:86:6a:c4" NAS-Port-Type = Wireless-802.11 NAS-Identifier = "NAP" Connect-Info = "CONNECT 11Mbps 802.11b" State = 0x5709d887560ac1bb8ae83da2d1a3b270 EAP-Message = 0x020300061900 Message-Authenticator = 0xe1ca9d3ecc4544fc8498b79d1f9338b6 +- entering group authorize ++[preprocess] returns ok rlm_realm: No '@' in User-Name = "newME", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 3 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled EAP-Message = 0x010403fc1940fb47bf22bba6e1f56e3b2be24091664c37ecf49a4f5b02d19c6f8cad66bc7c 054e4b96b8e3d395ab7a7c2995f929231fa8fa0d0004e6308204e2308203caa0030201020209 0090dde38fbeb1c1d1300d06092a864886f70d01010505003081a6310b300906035504061302 5553311330110603550408130a4e6577204a6572736579311430120603550407130b4c6f6e67 204272616e6368311a3018060355040a1311696e634e4554574f524b532c20496e632e312430 2206092a864886f70d010901161561646d696e40696e636e6574776f726b732e636f6d312a30 2806035504031321696e634e4554574f524b5320436572746966 EAP-Message = 0x696361746520417574686f72697479301e170d3038303632353137353535325a170d303830 3732353137353535325a3081a6310b3009060355040613025553311330110603550408130a4e 6577204a6572736579311430120603550407130b4c6f6e67204272616e6368311a3018060355 040a1311696e634e4554574f524b532c20496e632e3124302206092a864886f70d0109011615 61646d696e40696e636e6574776f726b732e636f6d312a302806035504031321696e634e4554 574f524b5320436572746966696361746520417574686f7269747930820122300d06092a8648 86f70d01010105000382010f003082010a0282010100d1208462 EAP-Message = 0xea8fd84d9e185c03a179b2a9d1c1104c445e6c8439ec8f337993a677b16657cdf8b3b08495 3ef59ccf92f2a407ed96606db0cb84f1b6691a487c0e0f394ee3ef92bf8c30ffa27ff5b0ef8d dc995c159118f248a81f56f604dd22a23dc6d7fa7caa6d3215ce35127bb79cae11f44c279d1e c30a5b5fef759ad724c448e80a8528de383a00e81bff0716a15352ec2723b6602654516b83da 31ea7cba4fab100a278d63784e7d3da2a1883fd8de1d7057788903300ba47add6d3b56b8c75d ed94a14df2cc93b9b2613f9d0fc04cc157a9eb7099485356da5b8da147604f4c718a173ac0f6 34170117f43a532bd2498e3889f952ce413e0631017243d03902 EAP-Message = 0x03010001a382010f3082010b301d0603551d0e0416041471984cf66dfaf43b99e9b1b8ba03 27c3a38622083081db0603551d230481d33081d0801471984cf66dfaf43b99e9b1b8ba0327c3 a3862208a181aca481a93081a6310b3009060355040613025553311330110603550408130a4e 6577204a6572736579311430120603550407130b4c6f6e67204272616e6368311a3018060355 040a1311696e634e4554574f524b532c20496e632e3124302206092a864886f70d0109011615 61646d696e40696e636e6574776f726b732e636f6d312a302806035504031321696e634e4554 574f524b5320436572746966696361746520417574686f726974 EAP-Message = 0x7982090090dde38f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5709d887550dc1bb8ae83da2d1a3b270 Finished request 2. Going to the next request Waking up in 4.9 seconds. User-Name = "newME" NAS-IP-Address = 0.0.0.0 Framed-MTU = 1488 Called-Station-Id = "00:0c:84:02:a2:59" Calling-Station-Id = "00:1c:bf:86:6a:c4" NAS-Port-Type = Wireless-802.11 NAS-Identifier = "NAP" Connect-Info = "CONNECT 11Mbps 802.11b" State = 0x5709d887550dc1bb8ae83da2d1a3b270 EAP-Message = 0x020400061900 Message-Authenticator = 0xa7553af17b7b33879dda04b44243f5bf +- entering group authorize ++[preprocess] returns ok rlm_realm: No '@' in User-Name = "newME", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 4 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled EAP-Message = 0x010503471900beb1c1d1300c0603551d13040530030101ff300d06092a864886f70d010105 05000382010100c48c67a9affe2f0b3cc9a3efd411b69605499b2454953152ffb978ec064d9d 1bd675316282e03b3940e50c80b186c6209a067b6d41825e8cc4a538e424aefae267bbbab105 477a63157690d20b3cc27dc0d8e072e100ba786746c9a49757078239cbc1f56a7f0e4ef9b881 ab77cb045dbafbd17c2266ff0003fbc1722254de079643cfb2d5de4c33ca45d335eeef7c836f 7ddc4577649c22fee7a37357a1ff7e51c862fb214f642f84b76a2257b5ed453cf15085987df7 c90622a1d28d5fe19fa7f8277d2e32d67346b3b6ce1b5cee9177 EAP-Message = 0x24f9738c6b74c5c6cce59145a0d9038dd953a91b43b638d31741095abe6f7ceccfae9b5e66 083086bf3802beac4229160301020d0c0002090080f6f39ebeef4713cf31ffa55c7b649b3f25 4c526b9aeadeb0dbcbeac7a273e480c030e623adb5336041ed1fdee34107c77807d03b407264 7eea1b908a107412f51ad72f21d941c677dd24303351001ea3b85b08a7c9e0399b53ac6dd152 1800e6c1cccd91d68c33fc624c2d629cde053b033382c210af06b42745ca9f51f8e04b000102 0080abac109fc540c884538ca35c4b6b47764cf269be201de13349900cd763b17feb59527966 727f963e9cb61d0d2c691183a2f2175907e45d1081e011bdb7a1 EAP-Message = 0x4dbbdeaf63c9be69c2d8796df141d69fc65cf1bc393f536dfa206baeb5401869c3c61a8efa 2058c4539bbeb1f7700df48d0b38aa462fe16951df9f0f7b650a61f60c0100627b666f16674e 1968065868376843303b6cef391d185c7841a2ba64f9c8f9186a2570e329cc849120cde21f6c fb6871479b8199423cbe4bf5b0ddb81c5e496cd3f35e1bffcfaa8cdcf17cc7c47f00c27b1807 2e123fc4a159ea93acb9029fbeb2812e41388cf42e03832e4794c71b9e1dfdab563436988a17 6efcf3d6744036d111af91c9a72308e6869cbee9d2143078a56239f89798a0c591b8dc40e9f4 e357ca4a36335137de3ad95644c0ab8b26ab98e0c78c82d657a6 EAP-Message = 0x023428638ae4992265968f0a929e80ccd650d82df8af8f22ea83a3693b9a76525056bd3308 ea3fe33efbaac761e4fecd665a5c57ee80fb6e780f83aa81c2f8fa0f47e87253045416030100 040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5709d887540cc1bb8ae83da2d1a3b270 Finished request 3. Going to the next request Waking up in 3.5 seconds. User-Name = "newME" NAS-IP-Address = 0.0.0.0 Framed-MTU = 1488 Called-Station-Id = "00:0c:84:02:a2:59" Calling-Station-Id = "00:1c:bf:86:6a:c4" NAS-Port-Type = Wireless-802.11 NAS-Identifier = "NAP" Connect-Info = "CONNECT 11Mbps 802.11b" State = 0x5709d887540cc1bb8ae83da2d1a3b270 EAP-Message = 0x020500cc19001603010086100000820080730f8d61efcc8d27b7253b7378745639a8abde94 b10901df83a8c2f397a8b7975dce45273b5b9c8c61adb75be948d5e0f74e964aa30cc0257186 77e689856f1cee2b8e298c80c23c5485716c9cbfda3cf409f356674b35578e4acade4af2732e 643cf0e57beabdbd29195fed7a6d3bcc74c1b9b2dd83093c82d04070eae39985140301000101 16030100302f01084a564d08fb60174d9ebcc44730a2a74d05f8c5f477fbb610b30dd6d7189f c88b34e8790f12e2672b64b1ec3ffc Message-Authenticator = 0xd748a6748bec76596e829b86b7a69b6f +- entering group authorize ++[preprocess] returns ok rlm_realm: No '@' in User-Name = "newME", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 5 length 204 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled EAP-Message = 0x0106004119001403010001011603010030c2d3b1aa2e22839b17ae374b3d11226b8fc4b953 aa3cfad00f22aafe669328d1cbc24e9512cffd0c6fd840bc4c8d8004 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5709d887530fc1bb8ae83da2d1a3b270 Finished request 4. Going to the next request Waking up in 3.4 seconds. User-Name = "newME" NAS-IP-Address = 0.0.0.0 Framed-MTU = 1488 Called-Station-Id = "00:0c:84:02:a2:59" Calling-Station-Id = "00:1c:bf:86:6a:c4" NAS-Port-Type = Wireless-802.11 NAS-Identifier = "NAP" Connect-Info = "CONNECT 11Mbps 802.11b" State = 0x5709d887530fc1bb8ae83da2d1a3b270 EAP-Message = 0x020600061900 Message-Authenticator = 0x1eda821bf40068808ce340e5b9a1aa37 +- entering group authorize ++[preprocess] returns ok rlm_realm: No '@' in User-Name = "newME", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 6 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap_peap: EAPTLS_SUCCESS ++[eap] returns handled EAP-Message = 0x0107002b19001703010020f1cd4cca3933b6de7604a72b8a749037b9c278f832e282073ffe 984571d4ef79 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5709d887520ec1bb8ae83da2d1a3b270 Finished request 5. Going to the next request Waking up in 3.3 seconds. User-Name = "newME" NAS-IP-Address = 0.0.0.0 Framed-MTU = 1488 Called-Station-Id = "00:0c:84:02:a2:59" Calling-Station-Id = "00:1c:bf:86:6a:c4" NAS-Port-Type = Wireless-802.11 NAS-Identifier = "NAP" Connect-Info = "CONNECT 11Mbps 802.11b" State = 0x5709d887520ec1bb8ae83da2d1a3b270 EAP-Message = 0x0207005019001703010020bf3a40a5b1e6800af9d4d1021a3eebd3a0968fcadcb426e714c3 7763805268581703010020775d23abc0e86c978c5f5c962d297798e094e41830f2be1e3b5256 00a4c6fc20 Message-Authenticator = 0x20b60734feebecc6229b631422bfaa18 +- entering group authorize ++[preprocess] returns ok rlm_realm: No '@' in User-Name = "newME", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 7 length 80 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - newME PEAP: Got tunneled identity of newME PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to newME +- entering group authorize ++[preprocess] returns ok rlm_realm: No '@' in User-Name = "newME", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 7 length 10 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated rlm_ldap: - authorize rlm_ldap: performing user authorization for newME WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=newME) expand: dc=incnetworks,dc=com -> dc=incnetworks,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=incnetworks,dc=com, with filter (uid=newME) request done: ld 0x918b8d8 msgid 3 rlm_ldap: Added User-Password = william in check items rlm_ldap: looking for check items in directory... rlm_ldap: LDAP attribute radiusTunnelPrivateGroupId as RADIUS attribute Tunnel-Private-Group-Id:0 == "300" rlm_ldap: LDAP attribute radiusTunnelMediumType as RADIUS attribute Tunnel-Medium-Type:0 == IEEE-802 rlm_ldap: LDAP attribute radiusTunnelType as RADIUS attribute Tunnel-Type:0 == VLAN rlm_ldap: LDAP attribute ntPassword as RADIUS attribute NT-Password == 0x77696c6c69616d rlm_ldap: looking for reply items in directory... rlm_ldap: user newME authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rad_check_password: Found Auth-Type EAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled PEAP: Got tunneled Access-Challenge ++[eap] returns handled EAP-Message = 0x0108003b1900170301003055710cbfe022150dd25b8f60c6ee7d9052b0b7c28e7c8e462ab8 e0fa2a6595a16a66ab90422024d1524ddb735e555968 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5709d8875101c1bb8ae83da2d1a3b270 Finished request 6. Going to the next request Waking up in 3.3 seconds. User-Name = "newME" NAS-IP-Address = 0.0.0.0 Framed-MTU = 1488 Called-Station-Id = "00:0c:84:02:a2:59" Calling-Station-Id = "00:1c:bf:86:6a:c4" NAS-Port-Type = Wireless-802.11 NAS-Identifier = "NAP" Connect-Info = "CONNECT 11Mbps 802.11b" State = 0x5709d8875101c1bb8ae83da2d1a3b270 EAP-Message = 0x0208005019001703010020e312832ce10c356d5ba80016b88820450b10ec41a4e42b6ec344 8d31e814703b170301002001ea1cd711762165d36a5fdf66e918082c6292adae7809e357a45f b6ef9605c0 Message-Authenticator = 0xd6b1ee295256aadfc9ba4a2d8d1041ed +- entering group authorize ++[preprocess] returns ok rlm_realm: No '@' in User-Name = "newME", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 8 length 80 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 PEAP: Setting User-Name to newME +- entering group authorize ++[preprocess] returns ok rlm_realm: No '@' in User-Name = "newME", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 8 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated rlm_ldap: - authorize rlm_ldap: performing user authorization for newME WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=newME) expand: dc=incnetworks,dc=com -> dc=incnetworks,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=incnetworks,dc=com, with filter (uid=newME) request done: ld 0x918b8d8 msgid 4 rlm_ldap: Added User-Password = william in check items rlm_ldap: looking for check items in directory... rlm_ldap: LDAP attribute radiusTunnelPrivateGroupId as RADIUS attribute Tunnel-Private-Group-Id:0 == "300" rlm_ldap: LDAP attribute radiusTunnelMediumType as RADIUS attribute Tunnel-Medium-Type:0 == IEEE-802 rlm_ldap: LDAP attribute radiusTunnelType as RADIUS attribute Tunnel-Type:0 == VLAN rlm_ldap: LDAP attribute ntPassword as RADIUS attribute NT-Password == 0x77696c6c69616d rlm_ldap: looking for reply items in directory... rlm_ldap: user newME authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rad_check_password: Found Auth-Type EAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Invalid response type 4 rlm_eap: Handler failed in EAP/mschapv2 rlm_eap: Failed in EAP select ++[eap] returns invalid auth: Failed to validate the user. Login incorrect: [newME/<via Auth-Type = EAP>] (from client 10.15.1-network port 0 cli 00:1c:bf:86:6a:c4) PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE ++[eap] returns handled EAP-Message = 0x0109002b190017030100203ff4efba26d43a2c69d7f1bb068e99fa148c805ac6dbee568371 2eb53b9cbd1c Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5709d8875000c1bb8ae83da2d1a3b270 Finished request 7. Going to the next request Waking up in 3.3 seconds. User-Name = "newME" NAS-IP-Address = 0.0.0.0 Framed-MTU = 1488 Called-Station-Id = "00:0c:84:02:a2:59" Calling-Station-Id = "00:1c:bf:86:6a:c4" NAS-Port-Type = Wireless-802.11 NAS-Identifier = "NAP" Connect-Info = "CONNECT 11Mbps 802.11b" State = 0x5709d8875000c1bb8ae83da2d1a3b270 EAP-Message = 0x020900501900170301002085ba3da041ea8350f49ddbe34a8c6b920096ca37d0dc585eabf2 233a49fdf7481703010020c0248ee54f98c6f850fe30b28259038254f7ccb7b3056b5c50ed0d 81fc0bf629 Message-Authenticator = 0xd2885c1162e5d5da2923cb526e0bdd65 +- entering group authorize ++[preprocess] returns ok rlm_realm: No '@' in User-Name = "newME", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 9 length 80 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Had sent TLV failure. User was rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select ++[eap] returns invalid auth: Failed to validate the user. Login incorrect: [newME/<via Auth-Type = EAP>] (from client 10.15.1-network port 0 cli 00:1c:bf:86:6a:c4) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> newME attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 8 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 8 EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 2.2 seconds. Cleaning up request 0 ID 2 with timestamp +57 Cleaning up request 1 ID 4 with timestamp +57 Cleaning up request 2 ID 6 with timestamp +57 Waking up in 1.3 seconds. Cleaning up request 3 ID 8 with timestamp +59 Waking up in 0.1 seconds. Cleaning up request 4 ID 10 with timestamp +59 Cleaning up request 5 ID 12 with timestamp +59 Cleaning up request 6 ID 14 with timestamp +59 Cleaning up request 7 ID 16 with timestamp +59 Waking up in 1.0 seconds. Cleaning up request 8 ID 18 with timestamp +59 Ready to process requests. William E. W. Russell Member of Technical Staff (Software Development) 198 Brighton Avenue Long Branch, New Jersey 07740 Home #: 732-752-2037 Cell #: 732-744-6483 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] rg] On Behalf Of Alan DeKok Sent: Thursday, June 26, 2008 4:36 AM To: FreeRadius users mailing list Subject: Re: openLDAP & freeRADIUS William E. Russell wrote: > I have correctly set up freeRADIUS to read from my openLDAP. I can't > seem to authenticate my user. I have narrowed down the error to a single > line, "rlm_eap_mschapv2: Invalid response type 4". From my hours of > searching online, I have realized that all this means is that there was an > error in the response packet. Code 4 is MS-CHAP failure. It means that the client told the server it didn't like the previous packet. > I have no idea what error could have occurred. > I believe it may have to do with the password_attribute. I read something > documentation that said there was some issue with LDAP and passing a > cleartext password. Also, as you can see, I am using EAP/PEAP with MSCHAP. > Any body have any insight in to this type of thing? If I could just get some > help on how to set up the LDAP and RADIUS, that would be great - I have read > just about every single tutorial so please don't direct me to one of those. > I need someone who has a similar set up - what did you use for password > attribute? userPassword. Step 1: Get PEAP working with an entry in the "users" file. Step 2: Get LDAP working with PAP (radclient). Verify that it is NOT doing "bind as user" Step 3: Verify that PEAP works against LDAP. PLEASE show the debug output. The reason we ask for it is because it is the DEFINITIVE explanation of what's going on, and the ONLY way to help you solve the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html