Re: rlm_eap: Handler failed in EAP/peap
Javier Richard Quinto Ancieta wrote: Hello, I have problems with my FreeRADIUS (Installed )Version 1.1.3. Upgrade. The problem is when I use EAP-PEAP, msCHAPv2 for clients Windows and a Server LDAP in Debian. I have Installed freeradius using EAP-PEAP and in the radius.conf is of the next form: The FAQ and documentation does *not* say to post this. So don't. And in the file slapd.conf is of the next form: Again, this isn't necessary. * rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure. User was rejcted rejected earlier in this session. This means go read the EARLIER messages in the debug log to see why the user was rejected. The point of running it in debugging mode is to read the output. *All* of it. Ignoring most of it doesn't help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_eap: Handler failed in EAP/peap
Try uncommenting with_ntdomain_hack = yes in the mschap config. The WORKGROUP\\ needs to be stripped. Which happens automatically when that config is enabled. Laker --- Agus Supriyadi [EMAIL PROTECTED] wrote: On 2/28/06, Laker Netman [EMAIL PROTECTED] wrote: It looks like you didn't include the domain info by having --domain=%{mschap:NT-Domain} in your ntlm_auth command line in the mschap section of your radius.conf file. Thanks Laker,,, You're right.. after I added --domain=%{mschap:NT-Domain} to ntlm_auth,, script failed error is gone. But There's new error occured, It looks like this: BEGIN ERROR --- rlm_eap: Identity does not match User-Name, setting from EAP Identity. rlm_eap: Failed in handler modcall[authenticate]: module eap returns invalid for request 28 --- END ERROR --- The full debug message of the request just like this: === BEGIN DEBUG === rad_recv: Access-Request packet from host 128.16.100.2:21646, id=106, length=144 User-Name = WORKGROUP\\agus Framed-MTU = 1400 Called-Station-Id = 0012.43f9.07f0 Calling-Station-Id = 0040.96a6.0915 Service-Type = Login-User Message-Authenticator = 0xceeac013eeaa43fc5650c013e93f651c EAP-Message = 0x0201001301574f524b47524f55505c61677573 NAS-Port-Type = Wireless-802.11 NAS-Port = 491 NAS-IP-Address = 128.16.100.2 NAS-Identifier = iSpot Processing the authorize section of radiusd.conf modcall: entering group authorize for request 28 modcall[authorize]: module preprocess returns ok for request 28 modcall[authorize]: module chap returns noop for request 28 modcall[authorize]: module mschap returns noop for request 28 rlm_realm: No '@' in User-Name = agus, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 28 rlm_eap: EAP packet type response id 1 length 19 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 28 users: Matched entry DEFAULT at line 152 modcall[authorize]: module files returns ok for request 28 rlm_passwd: Added LM-Password: 'B736D7A84FBDE543AAD3B435B51404EE' to config_items rlm_passwd: Added NT-Password: 'AA4348E74FCFE5BB2061F2FF5C085304' to config_items rlm_passwd: Added SMB-Account-CTRL-TEXT: '[U ]' to config_items rlm_passwd: Adding Auth-Type = MS-CHAP modcall[authorize]: module etc_smbpasswd returns ok for request 28 modcall: leaving group authorize (returns updated) for request 28 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 28 rlm_eap: Identity does not match User-Name, setting from EAP Identity. rlm_eap: Failed in handler modcall[authenticate]: module eap returns invalid for request 28 modcall: leaving group authenticate (returns invalid) for request 28 auth: Failed to validate the user. === END DEBUG === Is that because eap performing certificate CN check with user-name attrib but not with the hostname of the server? (Just my guess) -BEGIN GEEK CODE BLOCK- Version: 3.1 GCS d(-) s:- a--- C++(+++)$$ UL$$ P+? L++$$ !E--- W++ !N !o !K-- w !O M !V PS PE !Y PGP t 5 X R tv b DI D G e h r y --END GEEK CODE BLOCK-- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_eap: Handler failed in EAP/peap
SEE BELOW: --- Agus Supriyadi [EMAIL PROTECTED] wrote: Dear All, I've got a problem with my freeradius. I've installed freeradius 1.1.0. I'm gonna using EAP/PEAP and MSCHAPv2. The radius returned Access-Reject message when I try to authenicate user. This is the debug message from freeradius: --- BEGIN DEBUG --- rad_recv: Access-Request packet from host 128.16.100.2:21645, id=112, length=219 User-Name = agus Framed-MTU = 1400 Called-Station-Id = 0012.43f9.07f0 Calling-Station-Id = 0040.96a6.0915 Service-Type = Login-User Message-Authenticator = 0x035385584153738e930ae5647bba4e77 EAP-Message = 0x020900561900170301004bbeba44dea711ccc50b11d2b66d81c5ee2f2254128135c4bfbc0c8f56c11d93419377cb9061b873416e21389346112ea96d1078b7ad8db16c64b70d812a071923b02819bd681a5902ead889 NAS-Port-Type = Wireless-802.11 NAS-Port = 208 State = 0xbe8af775ecd2998b486819e32c8c5eb3 NAS-IP-Address = 128.16.100.2 NAS-Identifier = iSpot Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module preprocess returns ok for request 7 modcall[authorize]: module chap returns noop for request 7 modcall[authorize]: module mschap returns noop for request 7 rlm_realm: No '@' in User-Name = agus, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 7 rlm_eap: EAP packet type response id 9 length 86 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 7 users: Matched entry DEFAULT at line 152 modcall[authorize]: module files returns ok for request 7 rlm_passwd: Added LM-Password: 'B736D7A84FBDE543AAD3B435B51404EE' to config_items rlm_passwd: Added NT-Password: 'AA4348E74FCFE5BB2061F2FF5C085304' to config_items rlm_passwd: Added SMB-Account-CTRL-TEXT: '[U ]' to config_items rlm_passwd: Adding Auth-Type = MS-CHAP modcall[authorize]: module etc_smbpasswd returns ok for request 7 modcall: leaving group authorize (returns updated) for request 7 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Setting User-Name to agus PEAP: Adding old state with e5 7c Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module preprocess returns ok for request 7 modcall[authorize]: module chap returns noop for request 7 modcall[authorize]: module mschap returns noop for request 7 rlm_realm: No '@' in User-Name = agus, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 7 rlm_eap: EAP packet type response id 9 length 63 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 7 users: Matched entry DEFAULT at line 152 modcall[authorize]: module files returns ok for request 7 rlm_passwd: Added LM-Password: 'B736D7A84FBDE543AAD3B435B51404EE' to config_items rlm_passwd: Added NT-Password: 'AA4348E74FCFE5BB2061F2FF5C085304' to config_items rlm_passwd: Added SMB-Account-CTRL-TEXT: '[U ]' to config_items rlm_passwd: Adding Auth-Type = MS-CHAP modcall[authorize]: module etc_smbpasswd returns ok for request 7 modcall: leaving group authorize (returns updated) for request 7 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 7 rlm_mschap: Found LM-Password rlm_mschap: Found NT-Password rlm_mschap: Told to do MS-CHAPv2 for agus with NT-Password radius_xlat: Running registered xlat function of module mschap for string 'Challenge' mschap2: 60 radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '/usr/bin/ntlm_auth --request-nt-key --username=agus --challenge=b7bc51d8fa48dfc5 It looks like you didn't include the domain info by having
Re: rlm_eap: Handler failed in EAP/peap
On 2/28/06, Laker Netman [EMAIL PROTECTED] wrote: It looks like you didn't include the domain info byhaving --domain=%{mschap:NT-Domain} in yourntlm_auth command line in the mschap section of yourradius.conf file. Thanks Laker,,, You're right.. after I added --domain=%{mschap:NT-Domain} to ntlm_auth,, script failed error is gone. But There's new error occured, It looks like this: BEGIN ERROR --- rlm_eap: Identity does not match User-Name, setting from EAP Identity. rlm_eap: Failed in handler modcall[authenticate]: module eap returns invalid for request 28 --- END ERROR --- The full debug message of the request just like this: === BEGIN DEBUG === rad_recv: Access-Request packet from host 128.16.100.2:21646, id=106, length=144 User-Name = WORKGROUP\\agus Framed-MTU = 1400 Called-Station-Id = 0012.43f9.07f0 Calling-Station-Id = 0040.96a6.0915 Service-Type = Login-User Message-Authenticator = 0xceeac013eeaa43fc5650c013e93f651c EAP-Message = 0x0201001301574f524b47524f55505c61677573 NAS-Port-Type = Wireless-802.11 NAS-Port = 491 NAS-IP-Address = 128.16.100.2 NAS-Identifier = iSpot Processing the authorize section of radiusd.conf modcall: entering group authorize for request 28 modcall[authorize]: module preprocess returns ok for request 28 modcall[authorize]: module chap returns noop for request 28 modcall[authorize]: module mschap returns noop for request 28 rlm_realm: No '@' in User-Name = agus, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 28 rlm_eap: EAP packet type response id 1 length 19 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 28 users: Matched entry DEFAULT at line 152 modcall[authorize]: module files returns ok for request 28 rlm_passwd: Added LM-Password: 'B736D7A84FBDE543AAD3B435B51404EE' to config_items rlm_passwd: Added NT-Password: 'AA4348E74FCFE5BB2061F2FF5C085304' to config_items rlm_passwd: Added SMB-Account-CTRL-TEXT: '[U ]' to config_items rlm_passwd: Adding Auth-Type = MS-CHAP modcall[authorize]: module etc_smbpasswd returns ok for request 28 modcall: leaving group authorize (returns updated) for request 28 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 28 rlm_eap: Identity does not match User-Name, setting from EAP Identity. rlm_eap: Failed in handler modcall[authenticate]: module eap returns invalid for request 28 modcall: leaving group authenticate (returns invalid) for request 28 auth: Failed to validate the user. === END DEBUG === Is that because eap performing certificate CN check with user-name attrib but not with the hostname of the server? (Just my guess) -BEGIN GEEK CODE BLOCK-Version: 3.1GCS d(-) s:- a--- C++(+++)$$ UL$$ P+? L++$$ !E--- W++ !N !o !K-- w !O M !V PS PE !Y PGP t 5 X R tv b DI D G e h r y--END GEEK CODE BLOCK-- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_eap: Handler failed in EAP/peap
Try sending the *entire* debug output. You're only sending the part that occurs *after* the *real* error. The true error is happening earlier in the authentication sequence. --Mike On Thu, 2004-09-09 at 08:21, Hugo Sousa wrote: Hello, I'm trying to authenticate a XP SP2. I'm using, for testing only, the root username and password. And the result is on the bottom. What could be the problem? Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.2.14:2050, id=0, length=168 User-Name = root NAS-IP-Address = 192.168.2.14 Called-Station-Id = 000f6645db2a Calling-Station-Id = 0020ed792d18 NAS-Identifier = 000f6645db2a NAS-Port = 12 Framed-MTU = 1400 State = 0x9ffc28e6266e915f48a2c65201988172 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020800261900170301001bdc0d980a2faf3b259a1c839845feaee7fa20acda7735f5da62fb21 Message-Authenticator = 0xc1149f0adc27f8d6973700ddb42b51ab Processing the authorize section of radiusd.conf modcall: entering group authorize for request 78 modcall[authorize]: module preprocess returns ok for request 78 modcall[authorize]: module chap returns noop for request 78 modcall[authorize]: module mschap returns noop for request 78 rlm_realm: No '@' in User-Name = root, looking up realm NULL rlm_realm: Found realm NULL rlm_realm: Adding Stripped-User-Name = root rlm_realm: Proxying request from user root to realm NULL rlm_realm: Adding Realm = NULL rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module suffix returns noop for request 78 rlm_eap: EAP packet type response id 8 length 38 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 78 users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok for request 78 modcall: group authorize returns updated for request 78 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 78 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure, rejecting. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid for request 78 modcall: group authenticate returns invalid for request 78 auth: Failed to validate the user. Delaying request 78 for 1 seconds Finished request 78 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 0 to 192.168.2.14:2050 EAP-Message = 0x04080004 Message-Authenticator = 0x Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 78 ID 0 with timestamp 413fce87 Nothing to do. Sleeping until we see a request. Regards, Hugo Sousa SysAdmin / NetworkAdmin http://www.netsystems.pt Portugal - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_eap: Handler failed in EAP/peap
rlm_realm: Found realm NULL rlm_realm: Adding Stripped-User-Name = root rlm_realm: Proxying request from user root to realm NULL rlm_realm: Adding Realm = NULL rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module suffix returns noop for request 8 rlm_eap: EAP packet type response id 8 length 38 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 8 users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok for request 8 modcall: group authorize returns updated for request 8 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure, rejecting. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid for request 8 modcall: group authenticate returns invalid for request 8 auth: Failed to validate the user. Delaying request 8 for 1 seconds Finished request 8 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Sending Access-Reject of id 0 to 192.168.2.14:2050 EAP-Message = 0x04080004 Message-Authenticator = 0x Cleaning up request 8 ID 0 with timestamp 413ff760 Nothing to do. Sleeping until we see a request. Regards, Hugo Sousa SysAdmin / NetworkAdmin http://www.netsystems.pt Portugal -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Griego Sent: quinta-feira, 9 de Setembro de 2004 14:31 To: [EMAIL PROTECTED] Subject: Re: rlm_eap: Handler failed in EAP/peap Try sending the *entire* debug output. You're only sending the part that occurs *after* the *real* error. The true error is happening earlier in the authentication sequence. --Mike On Thu, 2004-09-09 at 08:21, Hugo Sousa wrote: Hello, I'm trying to authenticate a XP SP2. I'm using, for testing only, the root username and password. And the result is on the bottom. What could be the problem? Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.2.14:2050, id=0, length=168 User-Name = root NAS-IP-Address = 192.168.2.14 Called-Station-Id = 000f6645db2a Calling-Station-Id = 0020ed792d18 NAS-Identifier = 000f6645db2a NAS-Port = 12 Framed-MTU = 1400 State = 0x9ffc28e6266e915f48a2c65201988172 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020800261900170301001bdc0d980a2faf3b259a1c839845feaee7fa20acda7735f5da62fb 21 Message-Authenticator = 0xc1149f0adc27f8d6973700ddb42b51ab Processing the authorize section of radiusd.conf modcall: entering group authorize for request 78 modcall[authorize]: module preprocess returns ok for request 78 modcall[authorize]: module chap returns noop for request 78 modcall[authorize]: module mschap returns noop for request 78 rlm_realm: No '@' in User-Name = root, looking up realm NULL rlm_realm: Found realm NULL rlm_realm: Adding Stripped-User-Name = root rlm_realm: Proxying request from user root to realm NULL rlm_realm: Adding Realm = NULL rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module suffix returns noop for request 78 rlm_eap: EAP packet type response id 8 length 38 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 78 users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok for request 78 modcall: group authorize returns updated for request 78 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 78 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure, rejecting. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid for request 78
RE: rlm_eap: Handler failed in EAP/peap
rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for root with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect Your problem lies in the error messages above. You need to specify either a plain-text User-Password or an NT-Password for the user in the users file. -- --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_eap: Handler failed in EAP/peap
How can I do that in the users file? The root user is a Linux user. Btw... How can I redirect the users from a REALM to an LDAP server? Regards Hugo Sousa SysAdmin / NetworkAdmin http://www.netsystems.pt Portugal -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Griego Sent: quinta-feira, 9 de Setembro de 2004 16:03 To: [EMAIL PROTECTED] Subject: RE: rlm_eap: Handler failed in EAP/peap rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for root with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect Your problem lies in the error messages above. You need to specify either a plain-text User-Password or an NT-Password for the user in the users file. -- --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_eap: Handler failed in EAP/peap
Hi Hugo, You *can't* use SYSTEM passwords to authenticate using MS-CHAPv2. MS-CHAPv2 requires the AAA server to be able to obtain the clear text password (from a local file or some other source) or a password in NT-Password format. If it cannot get them, then it is unable to check that performing the hash function results in the same data as was supplied in the password from the NAS. Therefore, you cannot use root as the username unless you also have a root user defined within the users file with a locally defined clear text password. Better to simply create a test user with a clear text password. Regards, Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hugo Sousa Sent: 09 September 2004 16:08 To: [EMAIL PROTECTED] Subject: RE: rlm_eap: Handler failed in EAP/peap How can I do that in the users file? The root user is a Linux user. Btw... How can I redirect the users from a REALM to an LDAP server? Regards Hugo Sousa SysAdmin / NetworkAdmin http://www.netsystems.pt Portugal -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Griego Sent: quinta-feira, 9 de Setembro de 2004 16:03 To: [EMAIL PROTECTED] Subject: RE: rlm_eap: Handler failed in EAP/peap rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for root with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect Your problem lies in the error messages above. You need to specify either a plain-text User-Password or an NT-Password for the user in the users file. -- --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This e-mail is private and may be confidential and is for the intended recipient only. If misdirected, please notify us by telephone and confirm that it has been deleted from your system and any copies destroyed. If you are not the intended recipient you are strictly prohibited from using, printing, copying, distributing or disseminating this e-mail or any information contained in it. We use reasonable endeavours to virus scan all e-mails leaving the Company but no warranty is given that this e-mail and any attachments are virus free. You should undertake your own virus checking. The right to monitor e-mail communications through our network is reserved by us. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html