> Do a WiFi connection, and read the debug output for *that*. Good idea - I have some progress in debugging:
This snippet shows that at least SSL certs are working & being accepted by radius: ++++-----------------------------------------------------+++ Thu Jan 17 21:58:15 2013 : Info: # Executing section authorize from file /etc/freeradius2/sites/default Thu Jan 17 21:58:15 2013 : Info: +- entering group authorize {...} Thu Jan 17 21:58:15 2013 : Info: [eap] EAP packet type response id 255 length 208 Thu Jan 17 21:58:15 2013 : Info: [eap] Continuing tunnel setup. Thu Jan 17 21:58:15 2013 : Info: ++[eap] returns ok Thu Jan 17 21:58:15 2013 : Info: Found Auth-Type = EAP Thu Jan 17 21:58:15 2013 : Info: # Executing group from file /etc/freeradius2/sites/default Thu Jan 17 21:58:15 2013 : Info: +- entering group authenticate {...} Thu Jan 17 21:58:15 2013 : Info: [eap] Request found, released from the list Thu Jan 17 21:58:15 2013 : Info: [eap] EAP/peap Thu Jan 17 21:58:15 2013 : Info: [eap] processing type peap Thu Jan 17 21:58:15 2013 : Info: [peap] processing EAP-TLS Thu Jan 17 21:58:15 2013 : Debug: TLS Length 198 Thu Jan 17 21:58:15 2013 : Info: [peap] Length Included Thu Jan 17 21:58:15 2013 : Info: [peap] eaptls_verify returned 11 Thu Jan 17 21:58:15 2013 : Info: [peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange Thu Jan 17 21:58:16 2013 : Info: [peap] TLS_accept: SSLv3 read client key exchange A Thu Jan 17 21:58:16 2013 : Info: [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] Thu Jan 17 21:58:16 2013 : Info: [peap] <<< TLS 1.0 Handshake [length 0010], Finished Thu Jan 17 21:58:16 2013 : Info: [peap] TLS_accept: SSLv3 read finished A Thu Jan 17 21:58:16 2013 : Info: [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] Thu Jan 17 21:58:16 2013 : Info: [peap] TLS_accept: SSLv3 write change cipher spec A Thu Jan 17 21:58:16 2013 : Info: [peap] >>> TLS 1.0 Handshake [length 0010], Finished Thu Jan 17 21:58:16 2013 : Info: [peap] TLS_accept: SSLv3 write finished A Thu Jan 17 21:58:16 2013 : Info: [peap] TLS_accept: SSLv3 flush data Thu Jan 17 21:58:16 2013 : Info: [peap] (other): SSL negotiation finished successfully Thu Jan 17 21:58:16 2013 : Debug: SSL Connection Established ++++-----------------------------------------------------+++ OTHER INTERESTING CODE I FIND (No NT/LM-Password): ++++-----------------------------------------------------+++ hu Jan 17 21:58:16 2013 : Info: # Executing section authorize from file /etc/freeradius2/sites/default Thu Jan 17 21:58:16 2013 : Info: +- entering group authorize {...} Thu Jan 17 21:58:16 2013 : Info: [eap] EAP packet type response id 2 length 65 Thu Jan 17 21:58:16 2013 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation Thu Jan 17 21:58:16 2013 : Info: ++[eap] returns updated Thu Jan 17 21:58:16 2013 : Info: ++[files] returns noop Thu Jan 17 21:58:16 2013 : Info: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. Thu Jan 17 21:58:16 2013 : Info: ++[pap] returns noop Thu Jan 17 21:58:16 2013 : Info: Found Auth-Type = EAP Thu Jan 17 21:58:16 2013 : Info: # Executing group from file /etc/freeradius2/sites/default Thu Jan 17 21:58:16 2013 : Info: +- entering group authenticate {...} Thu Jan 17 21:58:16 2013 : Info: [eap] Request found, released from the list Thu Jan 17 21:58:16 2013 : Info: [eap] EAP/mschapv2 Thu Jan 17 21:58:16 2013 : Info: [eap] processing type mschapv2 Thu Jan 17 21:58:16 2013 : Info: [mschapv2] # Executing group from file /etc/freeradius2/sites/default Thu Jan 17 21:58:16 2013 : Info: [mschapv2] +- entering group MS-CHAP {...} Thu Jan 17 21:58:16 2013 : Info: [mschap] No Cleartext-Password configured. Cannot create LM-Password. Thu Jan 17 21:58:16 2013 : Info: [mschap] No Cleartext-Password configured. Cannot create NT-Password. Thu Jan 17 21:58:16 2013 : Info: [mschap] Creating challenge hash with username: pospda Thu Jan 17 21:58:16 2013 : Info: [mschap] Client is using MS-CHAPv2 for pospda, we need NT-Password Thu Jan 17 21:58:16 2013 : Info: [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. Thu Jan 17 21:58:16 2013 : Info: [mschap] FAILED: MS-CHAP2-Response is incorrect Thu Jan 17 21:58:16 2013 : Info: ++[mschap] returns reject Thu Jan 17 21:58:16 2013 : Info: [eap] Freeing handler Thu Jan 17 21:58:16 2013 : Info: ++[eap] returns reject Thu Jan 17 21:58:16 2013 : Info: Failed to authenticate the user. Thu Jan 17 21:58:16 2013 : Auth: Login incorrect: [pospda/<via Auth-Type = EAP>] (from client localhost port 1 cli 00-1F-1F-91-32-E4 via TLS tunnel) ++++-----------------------------------------------------+++ This I did not configure & probaly should? > how does the RADIUS server know how to authenticate the user? Many many thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html