Re: Freeradius + PEAP.. stuck on validating identity..
Bruno Kremel wrote: > I am posting full log with first is radtest accepted and others are > failde login from wifi client with 2 different accounts... > > FreeRADIUS Version 2.0.4, for host i486-pc-linux-gnu, built on Mar 29 > 2010 at 15:58:09 You should probably upgrade to 2.1.8. It has a lot of fixes && features over 2.0.4. > server inner-tunnel { > +- entering group authorize > ++[chap] returns noop > ++[mschap] returns noop > ++[unix] returns notfound > rlm_realm: No '@' in User-Name = "123", looking up realm NULL > rlm_realm: No such realm "NULL" > ++[suffix] returns noop > ++[control] returns noop > rlm_eap: EAP packet type response id 8 length 62 > rlm_eap: No EAP Start, assuming it's an on-going EAP conversation > ++[eap] returns updated > ++[files] returns noop > ++[expiration] returns noop > ++[logintime] returns noop > ++[pap] returns noop And no "sql". Edit raddb/sites-available/inner-tunnel, and add "sql" to the "authorize" section. It's already there, so you likely just have to uncomment it. > rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. > rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. > rlm_mschap: Told to do MS-CHAPv2 for 123 with NT-Password > rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. > rlm_mschap: FAILED: MS-CHAP2-Response is incorrect Yup. No "known good" password means no authentication. You could also try: http://networkradius.com/freeradius.html This lets you cut && paste the debug output into a form. The response is a colorized HTML page indicating common errors, and things you should look into. It won't catch this problem, but it will highlight the fact that there was no "known good" password for the user. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP.. stuck on validating identity..
2010/4/1 Alan DeKok : > Bruno Kremel wrote: >> Sending Access-Challenge of id 0 to 192.168.3.1 port 1320 >> EAP-Message = 0x010c00061900 >> Message-Authenticator = 0x >> State = 0x53b1704557bd694fbe3359243d2a2638 >> Finished request 40. >> Going to the next request >> Waking up in 4.9 seconds. >> Cleaning up request 40 ID 0 with timestamp +589 >> Ready to process requests. > > This is documented in the FAQ, in the comments in raddb/eap.conf, and > on my web site (http://deployingradius.com/). > > Please read the existing documentation, > >> That Access-Challenge should authenticate my client if I am not wrong, > > No. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > Thank you for that links... I have read that FAQ and so I copyed over default eap.conf and tryed it with uses file.. it is working OK i can connect to AP with username/password, but when I tryed to use SQL (I have corret format in SQL now) again it ends up this with Accept-Reject: rlm_eap_peap: Had sent TLV failure. User was rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select ++[eap] returns invalid auth: Failed to validate the user. Login incorrect: [pokus2/] (from client ciscorouter port 44 cli 001e650ece6c) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> pokus2 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 23 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 23 Sending Access-Reject of id 0 to 192.168.3.1 port 1327 EAP-Message = 0x040a0004 Message-Authenticator = 0x Waking up in 4.9 seconds. Cleaning up request 23 ID 0 with timestamp +735 Ready to process requests. Bud radtest gives me: Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 54224, id=218, length=57 User-Name = "test2" User-Password = "pokus2" NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "test2", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop expand: %{User-Name} -> test2 rlm_sql (sql): sql_set_user escaped user --> 'test2' rlm_sql (sql): Reserving sql socket id: 2 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test2' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test2' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'test2' ORDER BY priority rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated rad_check_password: Found Auth-Type auth: type "PAP" +- entering group PAP rlm_pap: login attempt with password "pokus2" rlm_pap: Using clear text password "pokus2" rlm_pap: User authenticated successfully ++[pap] returns ok Login OK: [test2/pokus2] (from client localhost port 1812) +- entering group post-auth ++[exec] returns noop Sending Access-Accept of id 218 to 127.0.0.1 port 54224 Finished request 10. Going to the next request Waking up in 4.9 seconds. Cleaning up request 10 ID 218 with timestamp +263 Ready to process requests. So is it sql problem or something with eap? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP.. stuck on validating identity..
Bruno Kremel wrote: > Sending Access-Challenge of id 0 to 192.168.3.1 port 1320 > EAP-Message = 0x010c00061900 > Message-Authenticator = 0x > State = 0x53b1704557bd694fbe3359243d2a2638 > Finished request 40. > Going to the next request > Waking up in 4.9 seconds. > Cleaning up request 40 ID 0 with timestamp +589 > Ready to process requests. This is documented in the FAQ, in the comments in raddb/eap.conf, and on my web site (http://deployingradius.com/). Please read the existing documentation, > That Access-Challenge should authenticate my client if I am not wrong, No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP.. stuck on validating identity..
On 01/04/2010, at 8:40 PM, Bruno Kremel wrote: > 2010/4/1 Matt Harlum : >> >> On 01/04/2010, at 1:44 PM, Matt Harlum wrote: >> >> On 01/04/2010, at 7:39 AM, Bruno Kremel wrote: >> >> On Wednesday 31 March 2010 21:28:48 Alan DeKok wrote: >> What should be there? >> Beacuse I don't know I am using Daloradius web interafce for adding data to >> database, so I just loaded default daloradius sql which was intendet >> (according to readme od daloradius) for 2.X Freeradius... and added accounts >> in web interface... >> >> Here's an example from my radcheck table in the SQL Database >> id | UserName | Attribute | op | Value | >> ++--+---+++ >> | 1 | exampleuser | User-Password | == | password123 | >> This is how yours should be set up, otherwise you will get the "validating" >> issue in Windows. >> >> I was wrong >> it should be >> Here's an example from my radcheck table in the SQL Database >> id | UserName | Attribute | op | Value | >> ++--+---+++ >> | 1 | exampleuser | Cleartext-Password | := | password123 | >> My configuration was wrong it'd seem, I hadn't noticed as I'm primarily >> using EAP-TLS with EAP-TTLS as a fallback. didn't test it when I upgraded to >> 2.x >> Regards, >> Matt Harlum >> >> >> To me it seems that name/password was accepted so I have no clue where >> >> is the problem.. >> >> The password was NOT accepted. It was *ignored*. >> >> And what is that Accept-Accept on the end of the log?... also radtest gives >> me >> Accept-Accept only on correct login and password so I think that it's not >> that >> SQL... >> >> >> As Alan said, it was simply ignored because of the misconfiguration >> Regards, >> Matt Harlum >> >> >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > > Thank you for answer.. You are right with that sql it is some mess in > daloradius, but I tryed to disable SQL and use /etc/freeradius/users > file instead, but I am stuck on Attempting to authenticate now.. log > says this: Are you trying to use EAP-TTLS? > Going to the next request > Waking up in 4.9 seconds. > rad_recv: Access-Request packet from host 192.168.3.1 port 1320, id=0, > length=137 > Cleaning up request 39 ID 0 with timestamp +589 >User-Name = "pokus" >NAS-IP-Address = 192.168.3.1 >Called-Station-Id = "00259c523046" >Calling-Station-Id = "001e650eb532" >NAS-Identifier = "00259c523046" >NAS-Port = 9 >Framed-MTU = 1400 >State = 0x53b1704550ba694fbe3359243d2a2638 >NAS-Port-Type = Wireless-802.11 >EAP-Message = 0x020b00061900 >Message-Authenticator = 0x5fde19c57e8672a11c18b0b34d8c3acd > +- entering group authorize > ++[preprocess] returns ok > ++[chap] returns noop > ++[mschap] returns noop >rlm_realm: No '@' in User-Name = "pokus", looking up realm NULL >rlm_realm: No such realm "NULL" > ++[suffix] returns noop > rlm_eap: EAP packet type response id 11 length 6 > rlm_eap: Continuing tunnel setup. > ++[eap] returns ok > rad_check_password: Found Auth-Type EAP > auth: type "EAP" > +- entering group authenticate > rlm_eap: Request found, released from the list > rlm_eap: EAP/peap > rlm_eap: processing type peap > rlm_eap_peap: Authenticate > rlm_eap_tls: processing TLS > rlm_eap_tls: Received EAP-TLS ACK message > rlm_eap_tls: ack handshake fragment handler > eaptls_verify returned 1 > eaptls_process returned 13 > rlm_eap_peap: EAPTLS_HANDLED > ++[eap] returns handled > Sending Access-Challenge of id 0 to 192.168.3.1 port 1320 >EAP-Message = 0x010c00061900 >Message-Authenticator = 0x >State = 0x53b1704557bd694fbe3359243d2a2638 > Finished request 40. > Going to the next request > Waking up in 4.9 seconds. > Cleaning up request 40 ID 0 with timestamp +589 > Ready to process requests. Hard for me to tell what's going wrong here, radiusd -X should give more diagnostic information that would help also, what was the exact section of your users file like? with obfuscated login credentials of course. > That Access-Challenge should authenticate my client if I am not wrong, > but it still shows me validating identity and the attempting to > authenticate... > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP.. stuck on validating identity..
2010/4/1 Matt Harlum : > > On 01/04/2010, at 1:44 PM, Matt Harlum wrote: > > On 01/04/2010, at 7:39 AM, Bruno Kremel wrote: > > On Wednesday 31 March 2010 21:28:48 Alan DeKok wrote: > What should be there? > Beacuse I don't know I am using Daloradius web interafce for adding data to > database, so I just loaded default daloradius sql which was intendet > (according to readme od daloradius) for 2.X Freeradius... and added accounts > in web interface... > > Here's an example from my radcheck table in the SQL Database > id | UserName | Attribute | op | Value | > ++--+---+++ > | 1 | exampleuser | User-Password | == | password123 | > This is how yours should be set up, otherwise you will get the "validating" > issue in Windows. > > I was wrong > it should be > Here's an example from my radcheck table in the SQL Database > id | UserName | Attribute | op | Value | > ++--+---+++ > | 1 | exampleuser | Cleartext-Password | := | password123 | > My configuration was wrong it'd seem, I hadn't noticed as I'm primarily > using EAP-TLS with EAP-TTLS as a fallback. didn't test it when I upgraded to > 2.x > Regards, > Matt Harlum > > > To me it seems that name/password was accepted so I have no clue where > > is the problem.. > > The password was NOT accepted. It was *ignored*. > > And what is that Accept-Accept on the end of the log?... also radtest gives > me > Accept-Accept only on correct login and password so I think that it's not > that > SQL... > > > As Alan said, it was simply ignored because of the misconfiguration > Regards, > Matt Harlum > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > Thank you for answer.. You are right with that sql it is some mess in daloradius, but I tryed to disable SQL and use /etc/freeradius/users file instead, but I am stuck on Attempting to authenticate now.. log says this: Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.3.1 port 1320, id=0, length=137 Cleaning up request 39 ID 0 with timestamp +589 User-Name = "pokus" NAS-IP-Address = 192.168.3.1 Called-Station-Id = "00259c523046" Calling-Station-Id = "001e650eb532" NAS-Identifier = "00259c523046" NAS-Port = 9 Framed-MTU = 1400 State = 0x53b1704550ba694fbe3359243d2a2638 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020b00061900 Message-Authenticator = 0x5fde19c57e8672a11c18b0b34d8c3acd +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "pokus", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 11 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.3.1 port 1320 EAP-Message = 0x010c00061900 Message-Authenticator = 0x State = 0x53b1704557bd694fbe3359243d2a2638 Finished request 40. Going to the next request Waking up in 4.9 seconds. Cleaning up request 40 ID 0 with timestamp +589 Ready to process requests. That Access-Challenge should authenticate my client if I am not wrong, but it still shows me validating identity and the attempting to authenticate... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP.. stuck on validating identity..
On 01/04/2010, at 1:44 PM, Matt Harlum wrote: > > On 01/04/2010, at 7:39 AM, Bruno Kremel wrote: > >> On Wednesday 31 March 2010 21:28:48 Alan DeKok wrote: >> What should be there? >> Beacuse I don't know I am using Daloradius web interafce for adding data to >> database, so I just loaded default daloradius sql which was intendet >> (according to readme od daloradius) for 2.X Freeradius... and added accounts >> in web interface... > > Here's an example from my radcheck table in the SQL Database > id | UserName | Attribute | op | Value | > ++--+---+++ > | 1 | exampleuser | User-Password | == | password123 | > > This is how yours should be set up, otherwise you will get the "validating" > issue in Windows. > I was wrong it should be Here's an example from my radcheck table in the SQL Database id | UserName | Attribute | op | Value | ++--+---+++ | 1 | exampleuser | Cleartext-Password | := | password123 | My configuration was wrong it'd seem, I hadn't noticed as I'm primarily using EAP-TLS with EAP-TTLS as a fallback. didn't test it when I upgraded to 2.x Regards, Matt Harlum > >>> To me it seems that name/password was accepted so I have no clue where is the problem.. >>> >>> The password was NOT accepted. It was *ignored*. >>> >> And what is that Accept-Accept on the end of the log?... also radtest gives >> me >> Accept-Accept only on correct login and password so I think that it's not >> that >> SQL... >> > > As Alan said, it was simply ignored because of the misconfiguration > > Regards, > Matt Harlum > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP.. stuck on validating identity..
On 01/04/2010, at 7:39 AM, Bruno Kremel wrote: > On Wednesday 31 March 2010 21:28:48 Alan DeKok wrote: > What should be there? > Beacuse I don't know I am using Daloradius web interafce for adding data to > database, so I just loaded default daloradius sql which was intendet > (according to readme od daloradius) for 2.X Freeradius... and added accounts > in web interface... Here's an example from my radcheck table in the SQL Database id | UserName | Attribute | op | Value | ++--+---+++ | 1 | exampleuser | User-Password | == | password123 | This is how yours should be set up, otherwise you will get the "validating" issue in Windows. >> >>> To me it seems that name/password was accepted so I have no clue where >>> is the problem.. >> >> The password was NOT accepted. It was *ignored*. >> > And what is that Accept-Accept on the end of the log?... also radtest gives > me > Accept-Accept only on correct login and password so I think that it's not > that > SQL... > As Alan said, it was simply ignored because of the misconfiguration Regards, Matt Harlum - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP.. stuck on validating identity..
Bruno Kremel wrote: >> Why did you put "Auth-Type = Accept" in SQL? >> >> It's breaking the server. Delete it. > What should be there? The user's password? > Beacuse I don't know I am using Daloradius web interafce for adding data to > database, so I just loaded default daloradius sql which was intendet > (according to readme od daloradius) for 2.X Freeradius... and added accounts > in web interface... I don't use daloradius. All I know is from the debug output, which shows that the server isn't configured properly. > And what is that Accept-Accept on the end of the log?... It's useless. The EAP conversation has been short-circuited, and the user WILL NOT end up being online. > also radtest gives me > Accept-Accept only on correct login and password so I think that it's not > that > SQL... Since you obviously know the product better than I do, good luck solving the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP.. stuck on validating identity..
On Wednesday 31 March 2010 21:28:48 Alan DeKok wrote: > Bruno Kremel wrote: > > My configuration is pretty much default except of enabling MySQL and > > setting paths and passwords to certificates (generated with make > > script in /etc/freeradius/certs, so they should be OK) and addresses > > of clients. > > And what did you put in SQL? > > > expand: %{User-Name} -> pokus > > rlm_sql (sql): sql_set_user escaped user --> 'pokus' > > rlm_sql (sql): Reserving sql socket id: 3 > > expand: SELECT id, username, attribute, value, op FROM radcheck WHERE > > username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, > > attribute, value, op FROM radcheck WHERE username = 'pokus' ORDER BY > > id > > rlm_sql (sql): User found in radcheck table > > expand: SELECT id, username, attribute, value, op FROM radreply WHERE > > username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, > > attribute, value, op FROM radreply WHERE username = 'pokus' ORDER BY > > id > > expand: SELECT groupname FROM radusergroup WHERE username = > > '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM > > radusergroup WHERE username = 'pokus' ORDER BY priority > > ... > > > rad_check_password: Found Auth-Type Accept > > rad_check_password: Auth-Type = Accept, accepting the user > > Why did you put "Auth-Type = Accept" in SQL? > > It's breaking the server. Delete it. What should be there? Beacuse I don't know I am using Daloradius web interafce for adding data to database, so I just loaded default daloradius sql which was intendet (according to readme od daloradius) for 2.X Freeradius... and added accounts in web interface... > > > To me it seems that name/password was accepted so I have no clue where > > is the problem.. > > The password was NOT accepted. It was *ignored*. > And what is that Accept-Accept on the end of the log?... also radtest gives me Accept-Accept only on correct login and password so I think that it's not that SQL... > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > Thank you for answer. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP.. stuck on validating identity..
Bruno Kremel wrote: > My configuration is pretty much default except of enabling MySQL and > setting paths and passwords to certificates (generated with make > script in /etc/freeradius/certs, so they should be OK) and addresses > of clients. And what did you put in SQL? > expand: %{User-Name} -> pokus > rlm_sql (sql): sql_set_user escaped user --> 'pokus' > rlm_sql (sql): Reserving sql socket id: 3 > expand: SELECT id, username, attribute, value, op FROM radcheck WHERE > username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, > attribute, value, op FROM radcheck WHERE username = 'pokus' ORDER BY > id > rlm_sql (sql): User found in radcheck table > expand: SELECT id, username, attribute, value, op FROM radreply WHERE > username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, > attribute, value, op FROM radreply WHERE username = 'pokus' ORDER BY > id > expand: SELECT groupname FROM radusergroup WHERE username = > '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM > radusergroup WHERE username = 'pokus' ORDER BY priority ... > rad_check_password: Found Auth-Type Accept > rad_check_password: Auth-Type = Accept, accepting the user Why did you put "Auth-Type = Accept" in SQL? It's breaking the server. Delete it. > To me it seems that name/password was accepted so I have no clue where > is the problem.. The password was NOT accepted. It was *ignored*. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius + PEAP.. stuck on validating identity..
Hi, I have freeradius for WPA2 Enterprise authentification in small network in library, it is stable version (2.0.4) on Debian Lenny compiled from sources with OpenSSL support.. Everything seems to be OK, but when I try to connect to AP from laptop with Windows XP after I enter name and password I am stuck on Validating identity, same on Ubuntu machine... My configuration is pretty much default except of enabling MySQL and setting paths and passwords to certificates (generated with make script in /etc/freeradius/certs, so they should be OK) and addresses of clients. This is what freeradius -X gives me when I try to connect to AP: Ready to process requests. rad_recv: Access-Request packet from host 192.168.3.1 port 1291, id=0, length=123 User-Name = "pokus" NAS-IP-Address = 192.168.3.1 Called-Station-Id = "00259c523046" Calling-Station-Id = "001e650eb532" NAS-Identifier = "00259c523046" NAS-Port = 9 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020a01706f6b7573 Message-Authenticator = 0x634f3b088572fda3a12eca56ed6035b9 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "pokus", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 0 length 10 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop expand: %{User-Name} -> pokus rlm_sql (sql): sql_set_user escaped user --> 'pokus' rlm_sql (sql): Reserving sql socket id: 3 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'pokus' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'pokus' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'pokus' ORDER BY priority rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type Accept rad_check_password: Auth-Type = Accept, accepting the user Login OK: [pokus/] (from client router port 9 cli 001e650eb532) +- entering group post-auth ++[exec] returns noop Sending Access-Accept of id 0 to 192.168.3.1 port 1291 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 0 with timestamp +59 Ready to process requests. To me it seems that name/password was accepted so I have no clue where is the problem.. Thank you in advance for any help.. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html