Hi all, First, a bit of background: I've had this freeradius server working well for months. I built it, with Google Authenticator for two-factor authentication. I integrated it with my Dell Sonicwall to implement SSLVPN with two-factor authentication. All that was working fine. Yesterday, I needed to rebuild my AWS VPC (Virtual PRovate Cloud) so we could add a VPN tunnel from another office, which had conflicting IP address ranges, so, I built a new VPC and re-launched my freeradius servers into the new VPC, and stuff stopped working. I'm not sure what's going on here, but even a simple radtest fails. This is: [ec2-user@tfa-primary ~]$ /usr/sbin/radiusd -v radiusd: FreeRADIUS Version 3.0.13, for host x86_64-redhat-linux-gnu, built on Jul 17 2017 at 06:58:38 FreeRADIUS Version 3.0.13 When I run radtest, I get: [ec2-user@tfa-primary ~]$ radtest mbobak Welcome123816449 127.0.0.1:1812 0 NiTs#@\!xyzzy Sent Access-Request Id 36 from 0.0.0.0:51762 to 127.0.0.1:1812 length 76 User-Name = "mbobak" User-Password = "Welcome123816449" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "Welcome123816449" Received Access-Reject Id 36 from 127.0.0.1:1812 to 0.0.0.0:0 length 20 (0) -: Expected Access-Accept got Access-Reject Which doesn't seem to really indicate anything specific, that I can see. When I run radiusd with '-X' option and execute 'radtest', I get: (19) Received Access-Request Id 36 from 127.0.0.1:51762 to 127.0.0.1:1812 length 76 (19) User-Name = "mbobak" (19) User-Password = "Welcome123816449" (19) NAS-IP-Address = 127.0.1.1 (19) NAS-Port = 0 (19) Message-Authenticator = 0xcbae6be380f42f0e8bbff9e2419d229b (19) # Executing section authorize from file /etc/raddb/sites-enabled/default (19) authorize { (19) policy filter_username { (19) if (&User-Name) { (19) if (&User-Name) -> TRUE (19) if (&User-Name) { (19) if (&User-Name =~ / /) { (19) if (&User-Name =~ / /) -> FALSE (19) if (&User-Name =~ /@[^@]*@/ ) { (19) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (19) if (&User-Name =~ /\.\./ ) { (19) if (&User-Name =~ /\.\./ ) -> TRUE (19) if (&User-Name =~ /\.\./ ) { (19) update request { (19) &Module-Failure-Message += 'Rejected: User-Name contains multiple ..s' (19) } # update request = noop (19) [reject] = reject (19) } # if (&User-Name =~ /\.\./ ) = reject (19) } # if (&User-Name) = reject (19) } # policy filter_username = reject (19) } # authorize = reject (19) Using Post-Auth-Type Reject (19) # Executing group from file /etc/raddb/sites-enabled/default (19) Post-Auth-Type REJECT { (19) attr_filter.access_reject: EXPAND %{User-Name} (19) attr_filter.access_reject: --> mbobak (19) attr_filter.access_reject: Matched entry DEFAULT at line 11 (19) [attr_filter.access_reject] = updated (19) [eap] = noop (19) policy remove_reply_message_if_eap { (19) if (&reply:EAP-Message && &reply:Reply-Message) { (19) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (19) else { (19) [noop] = noop (19) } # else = noop (19) } # policy remove_reply_message_if_eap = noop (19) } # Post-Auth-Type REJECT = updated (19) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (19) Sending delayed response (19) Sent Access-Reject Id 36 from 127.0.0.1:1812 to 127.0.0.1:51762 length 20 Waking up in 3.9 seconds. (19) Cleaning up request packet ID 36 with timestamp +5768 Ready to process requests Can someone offer me a clue? Thanks! -Mark