I have some users, apparently always the same, who get rejected with this error message... I managed to get a session containing the failure captured in debug mode. Not sure if I should post more, but this the end of one such session.... How can I get to the root cause of their rejections? This is running 3.0.11 but I saw the same errors in previous versions as well. Thanks a lot, Mohamed. Waking up in 0.4 seconds. (267) Received Access-Request Id 50 from 64.57.22.74:59485 to 10.212.11.16:1812 length 322 (267) User-Name = "usernamescrub@georgetown.edu" (267) NAS-IP-Address = 137.158.248.12 (267) NAS-Identifier = "mc-wlan-3" (267) EAP-Message = 0x020d006019001703010020a656b177e50de453353cc5168dee3c22a1ed723cbb64f31aef3691fa701022dd17030100305b78b8ff2b863942c2334a32879eadff634098f4bfedef9becd8c6bdb487a756b1171bb2702c3646f84ecae10457efa4 (267) State = 0x7f22f2a0752febe91327d6769b7e379b (267) Message-Authenticator = 0x33f00e391800047cf82dac79dae82745 (267) Attr-26.9048.0 = 0x50726f786965642d42793d65746c72312e656475726f616d2e6f72672d31343534363537343033 (267) Attr-26.9048.0 = 0x50726f786965642d42793d72616469756d2e737572666e65742e6e6c2d31343534363537343033 (267) Attr-26.9048.0 = 0x50726f786965642d42793d544c5253312e656475726f616d2e7573 (267) session-state: No cached attributes (267) # Executing section authorize from file /etc/raddb/sites-enabled/default (267) authorize { (267) policy filter_username { (267) if (User-Name != "%{tolower:%{User-Name}}") { (267) EXPAND %{tolower:%{User-Name}} (267) --> usernamescrub@georgetown.edu (267) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (267) if (User-Name =~ / /) { (267) if (User-Name =~ / /) -> FALSE (267) if (User-Name =~ /@.*@/ ) { (267) if (User-Name =~ /@.*@/ ) -> FALSE (267) if (User-Name =~ /\\.\\./ ) { (267) if (User-Name =~ /\\.\\./ ) -> FALSE (267) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) { (267) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (267) if (User-Name =~ /\\.$/) { (267) if (User-Name =~ /\\.$/) -> FALSE (267) if (User-Name =~ /@\\./) { (267) if (User-Name =~ /@\\./) -> FALSE (267) } # policy filter_username = notfound (267) [preprocess] = ok (267) policy operator-name.authorize { (267) if ("%{client:Operator-Name}") { (267) EXPAND %{client:Operator-Name} (267) --> (267) if ("%{client:Operator-Name}") -> FALSE (267) } # policy operator-name.authorize = ok (267) [chap] = noop (267) [mschap] = noop (267) [digest] = noop (267) suffix: Checking for suffix after "@" (267) suffix: Looking up realm "georgetown.edu" for User-Name = " usernamescrub@georgetown.edu" (267) suffix: Found realm "georgetown.edu" (267) suffix: Adding Stripped-User-Name = "usernamescrub" (267) suffix: Adding Realm = "georgetown.edu" (267) suffix: Authentication realm is LOCAL (267) [suffix] = ok (267) if ("%{User-Name}" =~ /\\\\?([^@\\\\]+)@?([-[:alnum:]._]*)?$/) { (267) EXPAND %{User-Name} (267) --> usernamescrub@georgetown.edu (267) if ("%{User-Name}" =~ /\\\\?([^@\\\\]+)@?([-[:alnum:]._]*)?$/) -> TRUE (267) if ("%{User-Name}" =~ /\\\\?([^@\\\\]+)@?([-[:alnum:]._]*)?$/) { (267) if ("%{2}" && ("%{2}" !~ /.*georgetown\.edu$/i && "%{2}" !~ /msb\.edu$/i) ) { (267) EXPAND %{2} (267) --> georgetown.edu (267) EXPAND %{2} (267) --> georgetown.edu (267) if ("%{2}" && ("%{2}" !~ /.*georgetown\.edu$/i && "%{2}" !~ /msb\.edu$/i) ) -> FALSE (267) } # if ("%{User-Name}" =~ /\\\\?([^@\\\\]+)@?([-[:alnum:]._]*)?$/) = ok (267) if ("%{Realm}" != 'NULL' && "%{Realm}" != 'LOCAL' && "%{Realm}" != 'georgetown.edu' && "%{Realm}" != 'gu.edu' && "%{Realm}" != 'msb.edu' && "%{Realm}" != 'eduroam') { (267) if ("%{Realm}" != 'NULL' && "%{Realm}" != 'LOCAL' && "%{Realm}" != 'georgetown.edu' && "%{Realm}" != 'gu.edu' && "%{Realm}" != 'msb.edu' && "%{Realm}" != 'eduroam') -> FALSE (267) eap: Peer sent EAP Response (code 2) ID 13 length 96 (267) eap: Continuing tunnel setup (267) [eap] = ok (267) } # authorize = ok (267) Found Auth-Type = eap (267) # Executing group from file /etc/raddb/sites-enabled/default (267) authenticate { (267) eap: Expiring EAP session with state 0x4cf0afb84dfdabc5 (267) eap: Finished EAP session with state 0x7f22f2a0752febe9 (267) eap: Previous EAP request found for state 0x7f22f2a0752febe9, released from the list (267) eap: Peer sent packet with method EAP PEAP (25) (267) eap: Calling submodule eap_peap to process data (267) eap_peap: Continuing EAP-TLS (267) eap_peap: [eaptls verify] = ok (267) eap_peap: Done initial handshake (267) eap_peap: [eaptls process] = ok (267) eap_peap: Session established. Decoding tunneled attributes (267) eap_peap: PEAP state phase2 (267) eap_peap: EAP method MD5 (4) (267) eap_peap: Got tunneled request (267) eap_peap: EAP-Message = 0x020d001604104ed6fcaab16a1dcd4bc8ba2eded04e1b (267) eap_peap: Setting User-Name to usernamescrub@georgetown.edu (267) eap_peap: Sending tunneled request to inner-tunnel (267) eap_peap: EAP-Message = 0x020d001604104ed6fcaab16a1dcd4bc8ba2eded04e1b (267) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (267) eap_peap: User-Name = "usernamescrub@georgetown.edu" (267) eap_peap: State = 0x4cf0afb84dfdabc5e4cbfa01e2805e60 (267) eap_peap: NAS-IP-Address = 137.158.248.12 (267) eap_peap: NAS-Identifier = "mc-wlan-3" (267) eap_peap: Attr-26.9048.0 = 0x50726f786965642d42793d65746c72312e656475726f616d2e6f72672d31343534363537343033 (267) eap_peap: Attr-26.9048.0 = 0x50726f786965642d42793d72616469756d2e737572666e65742e6e6c2d31343534363537343033 (267) eap_peap: Attr-26.9048.0 = 0x50726f786965642d42793d544c5253312e656475726f616d2e7573 (267) eap_peap: Attr-26.9048.0 = 0x50726f786965642d42793d72616469756d2e737572666e65742e6e6c2d31343534363537343033 (267) eap_peap: Attr-26.9048.0 = 0x50726f786965642d42793d544c5253312e656475726f616d2e7573 (267) eap_peap: Attr-26.9048.0 = 0x50726f786965642d42793d544c5253312e656475726f616d2e7573 (267) eap_peap: Event-Timestamp = "Feb 5 2016 14:09:55 EST" (267) Virtual server inner-tunnel received request (267) EAP-Message = 0x020d001604104ed6fcaab16a1dcd4bc8ba2eded04e1b (267) FreeRADIUS-Proxied-To = 127.0.0.1 (267) User-Name = "usernamescrub@georgetown.edu" (267) State = 0x4cf0afb84dfdabc5e4cbfa01e2805e60 (267) NAS-IP-Address = 137.158.248.12 (267) NAS-Identifier = "mc-wlan-3" (267) Attr-26.9048.0 = 0x50726f786965642d42793d65746c72312e656475726f616d2e6f72672d31343534363537343033 (267) Attr-26.9048.0 = 0x50726f786965642d42793d72616469756d2e737572666e65742e6e6c2d31343534363537343033 (267) Attr-26.9048.0 = 0x50726f786965642d42793d544c5253312e656475726f616d2e7573 (267) Attr-26.9048.0 = 0x50726f786965642d42793d72616469756d2e737572666e65742e6e6c2d31343534363537343033 (267) Attr-26.9048.0 = 0x50726f786965642d42793d544c5253312e656475726f616d2e7573 (267) Attr-26.9048.0 = 0x50726f786965642d42793d544c5253312e656475726f616d2e7573 (267) Event-Timestamp = "Feb 5 2016 14:09:55 EST" (267) WARNING: Outer and inner identities are the same. User privacy is compromised. (267) server inner-tunnel { (267) session-state: No cached attributes (267) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (267) authorize { (267) [chap] = noop (267) [mschap] = noop (267) suffix: Checking for suffix after "@" (267) suffix: Looking up realm "georgetown.edu" for User-Name = " usernamescrub@georgetown.edu" (267) suffix: Found realm "georgetown.edu" (267) suffix: Adding Stripped-User-Name = "usernamescrub" (267) suffix: Adding Realm = "georgetown.edu" (267) suffix: Authentication realm is LOCAL (267) [suffix] = ok (267) update control { (267) Proxy-To-Realm := LOCAL (267) } # update control = noop (267) eap: Peer sent EAP Response (code 2) ID 13 length 22 (267) eap: No EAP Start, assuming it's an on-going EAP conversation (267) [eap] = updated (267) [files] = noop rlm_ldap (ldap): Reserved connection (12) (267) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (267) ldap: --> (uid=usernamescrub) (267) ldap: Performing search in "ou=people,dc=georgetown,dc=edu" with filter "(uid=usernamescrub)", scope "sub" (267) ldap: Waiting for search result... (267) ldap: User object found at DN "uid=usernamescrub,ou=people,dc=georgetown,dc=edu" (267) ldap: Processing user attributes (267) ldap: control:Password-With-Header += {MD4}1DD9FC26BF0FCD74413AF390A74F559B rlm_ldap (ldap): Released connection (12) (267) [ldap] = updated (267) if (&control:Password-With-Header =~ /^.MD4.(.*)$/) { (267) if (&control:Password-With-Header =~ /^.MD4.(.*)$/) -> TRUE (267) if (&control:Password-With-Header =~ /^.MD4.(.*)$/) { (267) update control { (267) EXPAND {nt}%{1} (267) --> {nt}1DD9FC26BF0FCD74413AF390A74F559B (267) Password-With-Header := {nt}1DD9FC26BF0FCD74413AF390A74F559B (267) } # update control = noop (267) pap: Converted: Password-With-Header -> NT-Password (267) pap: Removing &control:Password-With-Header (267) pap: Normalizing NT-Password from hex encoding, 32 bytes -> 16 bytes (267) pap: WARNING: Auth-Type already set. Not setting to PAP (267) [pap] = noop (267) } # if (&control:Password-With-Header =~ /^.MD4.(.*)$/) = noop (267) if ((ok || updated) && User-Password) { (267) if ((ok || updated) && User-Password) -> FALSE (267) [expiration] = noop (267) [logintime] = noop (267) pap: WARNING: Auth-Type already set. Not setting to PAP (267) [pap] = noop (267) } # authorize = updated (267) Found Auth-Type = eap (267) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (267) authenticate { (267) eap: Expiring EAP session with state 0x4cf0afb84dfdabc5 (267) eap: Finished EAP session with state 0x4cf0afb84dfdabc5 (267) eap: Previous EAP request found for state 0x4cf0afb84dfdabc5, released from the list (267) eap: Peer sent packet with method EAP MD5 (4) (267) eap: Calling submodule eap_md5 to process data (267) eap_md5: Cleartext-Password is required for EAP-MD5 authentication (267) eap: ERROR: Failed continuing EAP MD5 (4) session. EAP sub-module failed (267) eap: Sending EAP Failure (code 4) ID 13 length 4 (267) eap: Failed in EAP select (267) [eap] = invalid (267) } # authenticate = invalid (267) Failed to authenticate the user (267) Using Post-Auth-Type Reject (267) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (267) Post-Auth-Type REJECT {