I'm trying to enable user authentication in AD with 802.1x. I've configured the switches and PacketFence. When I restart the computer, before user authentication, PacketFence successfully authorizes the computer (machine authentication) and places it in the correct production VLAN. However, when the user logs into Windows, the user authentication fails and PacketFence moves it back to the isolation VLAN. I'm having issues with this RADIUS configuration.
radius.log 2025-09-17T09:49:49.802869-04:00 nac auth[896559]: (467) mschap: ERROR: Program returned code (5) and output '' 2025-09-17T09:49:49.803507-04:00 nac auth[896559]: (467) Login incorrect (mschap: Program returned code (5) and output ''): [DOMAIN\username] (from client XXX.XXX.XXX <https://xxx.xxx.xxx/>.XXX/32 port 6 cli XX:XX:XX:XX:XX:XX via TLS tunnel) 2025-09-17T09:49:49.816518-04:00 nac auth[896559]: VERIFY returned 7 2025-09-17T09:49:49.816747-04:00 nac auth[896559]: (468) Login incorrect (eap_peap: The users session was previously rejected: returning reject (again.)): [DOMAIN\username] (from client XXX.XXX.XXX <https://xxx.xxx.xxx/>.XXX/32 port 6 cli XX:XX:XX:XX:XX:XX) In the RADIUS audit (RADIUS Request) from PacketFence, the following appears (I noticed that the username is in the format DOMAINusername, instead of DOMAIN\username or just username): Called-Station-Id = "XX:XX:XX:XX:XX:XX", Calling-Station-Id = "XX:XX:XX:XX:XX:XX", EAP-Message = "0x025200471a0252004231f7f7d8548ffcee6607d4e2be50cee0d80000000000000000f8b8fe3c8265136f88d02471c1b0e88eb31bd021a1b83f3200534543454c5c616c6970696f", EAP-Type = "MSCHAPv2", Event-Timestamp = "Sep 17 2025 09:49:49 -04", FreeRADIUS-Proxied-To = "127.0.0.1", MS-CHAP-Challenge = "0xf64e8a99c5c77dfc64062816ec53a059", MS-CHAP-User-Name = "DOMAINusername", MS-CHAP2-Response = "0x5245f7f7d8548ffcee6607d4e2be50cee0d80000000000000000f8b8fe3c8265136f88d02471c1b0e88eb31bd021a1b83f32", Module-Failure-Message = "mschap: Program returned code (5) and output ''", Module-Failure-Message = "mschap: External script says: ", Module-Failure-Message = "mschap: MS-CHAP2-Response is incorrect", NAS-IP-Address = "XXX.XXX.XXX <https://xxx.xxx.xxx/>.XXX", NAS-Identifier = "SWITCHE-ARUBA-6100", NAS-Port = "6", NAS-Port-Id = "1/1/6", NAS-Port-Type = "Ethernet", PacketFence-KeyBalanced = "eb1405b1ec04752f2316b848fe4fd2ff", PacketFence-NTLM-Auth-Host = "", PacketFence-NTLM-Auth-Port = "", PacketFence-Outer-User = "DOMAINusername", PacketFence-Radius-Ip = "XXX.XXX.XXX.XXX", Realm = "default", Service-Type = "Framed-User", State = "0xbf89ddc3bfdbc7a4db01df45deca9adf", Stripped-User-Name = "username", User-Name = "DOMAINusername", User-Password = "******" Any tips on how to fix this?
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
