Try changing the Load-Balance-Key to User-Name. And then using radtest for simple tests. That gets you the useful debug information, without tons of EAP stuff.
But... the Load-Balance-Key seems to work here. I haven't heard of anyone else having issues with it.
The users get rejected because they're fake, but I get the same results using User-Name. Here are 2 clients trying to connect, different usernames both go to the same server. These 2 clients are the only ones using this server right now. Received Access-Request Id 4 from 10.7.2.37:37771 to 10.7.0.28:1812 length 77 User-Name = 'user1' User-Password = 'REDACTED' NAS-IP-Address = 127.0.0.1 NAS-Port = 43 Message-Authenticator = 0xa09859e7179919143cd31505405ef595 (0) Received Access-Request packet from host 10.7.2.37 port 37771, id=4, length=77 (0) User-Name = 'user1' (0) User-Password = 'REDACTED' (0) NAS-IP-Address = 127.0.0.1 (0) NAS-Port = 43 (0) Message-Authenticator = 0xa09859e7179919143cd31505405ef595 (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) filter_username filter_username { (0) if (!&User-Name) (0) if (!&User-Name) -> FALSE (0) if (&User-Name =~ / /) (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@.*@/ ) (0) if (&User-Name =~ /@.*@/ ) -> FALSE (0) if (&User-Name =~ /\\.\\./ ) (0) if (&User-Name =~ /\\.\\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\\.$/) (0) if (&User-Name =~ /\\.$/) -> FALSE (0) if (&User-Name =~ /@\\./) (0) if (&User-Name =~ /@\\./) -> FALSE (0) } # filter_username filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix : Checking for suffix after "@" (0) suffix : No '@' in User-Name = "user1", looking up realm NULL (0) suffix : Found realm "DEFAULT" (0) suffix : Adding Stripped-User-Name = "user1" (0) suffix : Adding Realm = "DEFAULT" (0) suffix : Proxying request from user user1 to realm DEFAULT (0) suffix : Preparing to proxy authentication request to realm "DEFAULT" (0) [suffix] = updated (0) eap : No EAP-Message, not doing EAP (0) [eap] = noop (0) files : users: Matched entry DEFAULT at line 2 (0) [files] = ok (0) [expiration] = noop (0) [logintime] = noop (0) [pap] = noop (0) } # authorize = updated (0) # Executing section pre-proxy from file /etc/raddb/sites-enabled/default (0) pre-proxy { (0) update control { (0) EXPAND %{User-Name} (0) --> user1 (0) Load-Balance-Key := "user1" (0) } # update control = noop (0) } # pre-proxy = noop Opening new proxy socket 'proxy address * port 0' Listening on proxy address * port 47824 (0) Proxying request to home server 10.7.0.29 port 1812 timeout 20.000000 (0) Sending Access-Request packet to host 10.7.0.29 port 1812, id=38, length=0 (0) User-Name = 'user1' (0) User-Password = 'REDACTED' (0) NAS-IP-Address = 127.0.0.1 (0) NAS-Port = 43 (0) Message-Authenticator = 0xa09859e7179919143cd31505405ef595 (0) Event-Timestamp = 'Sep 7 2016 14:36:26 CDT' (0) Stripped-User-Name = 'user1' (0) Realm = 'DEFAULT' (0) Proxy-State = 0x34 Sending Access-Request Id 38 from 0.0.0.0:47824 to 10.7.0.29:1812 User-Name = 'user1' User-Password = 'REDACTED' NAS-IP-Address = 127.0.0.1 NAS-Port = 43 Message-Authenticator = 0xa09859e7179919143cd31505405ef595 Event-Timestamp = 'Sep 7 2016 14:36:26 CDT' Proxy-State = 0x34 Waking up in 0.3 seconds. Waking up in 0.1 seconds. (0) Expecting proxy response no later than 19.499780 seconds from now Waking up in 19.4 seconds. Received Access-Reject Id 38 from 10.7.0.29:1812 to 10.7.0.28:47824 length 23 Proxy-State = 0x34 (0) Received Access-Reject packet from host 10.7.0.29 port 1812, id=38, length=23 (0) Proxy-State = 0x34 (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject : EXPAND %{User-Name} (0) attr_filter.access_reject : --> user1 (0) attr_filter.access_reject : Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) eap : Request didn't contain an EAP-Message, not inserting EAP-Failure (0) [eap] = noop (0) remove_reply_message_if_eap remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else else { (0) [noop] = noop (0) } # else else = noop (0) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Delaying response for 1 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (0) Sending delayed response (0) Sending Access-Reject packet to host 10.7.2.37 port 37771, id=4, length=0 Sending Access-Reject Id 4 from 10.7.0.28:1812 to 10.7.2.37:37771 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 4 with timestamp +231 Ready to process requests Received Access-Request Id 134 from 10.7.2.37:42049 to 10.7.0.28:1812 length 77 User-Name = 'user2' User-Password = 'REDACTED' NAS-IP-Address = 127.0.0.1 NAS-Port = 43 Message-Authenticator = 0x8492cc7453e8c02139f1b8081cc8b0d7 (1) Received Access-Request packet from host 10.7.2.37 port 42049, id=134, length=77 (1) User-Name = 'user2' (1) User-Password = 'REDACTED' (1) NAS-IP-Address = 127.0.0.1 (1) NAS-Port = 43 (1) Message-Authenticator = 0x8492cc7453e8c02139f1b8081cc8b0d7 (1) # Executing section authorize from file /etc/raddb/sites-enabled/default (1) authorize { (1) filter_username filter_username { (1) if (!&User-Name) (1) if (!&User-Name) -> FALSE (1) if (&User-Name =~ / /) (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@.*@/ ) (1) if (&User-Name =~ /@.*@/ ) -> FALSE (1) if (&User-Name =~ /\\.\\./ ) (1) if (&User-Name =~ /\\.\\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\\.$/) (1) if (&User-Name =~ /\\.$/) -> FALSE (1) if (&User-Name =~ /@\\./) (1) if (&User-Name =~ /@\\./) -> FALSE (1) } # filter_username filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix : Checking for suffix after "@" (1) suffix : No '@' in User-Name = "user2", looking up realm NULL (1) suffix : Found realm "DEFAULT" (1) suffix : Adding Stripped-User-Name = "user2" (1) suffix : Adding Realm = "DEFAULT" (1) suffix : Proxying request from user user2 to realm DEFAULT (1) suffix : Preparing to proxy authentication request to realm "DEFAULT" (1) [suffix] = updated (1) eap : No EAP-Message, not doing EAP (1) [eap] = noop (1) files : users: Matched entry DEFAULT at line 2 (1) [files] = ok (1) [expiration] = noop (1) [logintime] = noop (1) [pap] = noop (1) } # authorize = updated (1) # Executing section pre-proxy from file /etc/raddb/sites-enabled/default (1) pre-proxy { (1) update control { (1) EXPAND %{User-Name} (1) --> user2 (1) Load-Balance-Key := "user2" (1) } # update control = noop (1) } # pre-proxy = noop (1) Proxying request to home server 10.7.0.29 port 1812 timeout 20.000000 (1) Sending Access-Request packet to host 10.7.0.29 port 1812, id=246, length=0 (1) User-Name = 'user2' (1) User-Password = 'REDACTED' (1) NAS-IP-Address = 127.0.0.1 (1) NAS-Port = 43 (1) Message-Authenticator = 0x8492cc7453e8c02139f1b8081cc8b0d7 (1) Event-Timestamp = 'Sep 7 2016 14:36:50 CDT' (1) Stripped-User-Name = 'user2' (1) Realm = 'DEFAULT' (1) Proxy-State = 0x313334 Sending Access-Request Id 246 from 0.0.0.0:47824 to 10.7.0.29:1812 User-Name = 'user2' User-Password = 'REDACTED' NAS-IP-Address = 127.0.0.1 NAS-Port = 43 Message-Authenticator = 0x8492cc7453e8c02139f1b8081cc8b0d7 Event-Timestamp = 'Sep 7 2016 14:36:50 CDT' Proxy-State = 0x313334 Waking up in 0.3 seconds. Waking up in 0.1 seconds. (1) Expecting proxy response no later than 19.499795 seconds from now Waking up in 19.4 seconds. Received Access-Reject Id 246 from 10.7.0.29:1812 to 10.7.0.28:47824 length 25 Proxy-State = 0x313334 (1) Received Access-Reject packet from host 10.7.0.29 port 1812, id=246, length=25 (1) Proxy-State = 0x313334 (1) Using Post-Auth-Type Reject (1) # Executing group from file /etc/raddb/sites-enabled/default (1) Post-Auth-Type REJECT { (1) attr_filter.access_reject : EXPAND %{User-Name} (1) attr_filter.access_reject : --> user2 (1) attr_filter.access_reject : Matched entry DEFAULT at line 11 (1) [attr_filter.access_reject] = updated (1) eap : Request didn't contain an EAP-Message, not inserting EAP-Failure (1) [eap] = noop (1) remove_reply_message_if_eap remove_reply_message_if_eap { (1) if (&reply:EAP-Message && &reply:Reply-Message) (1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (1) else else { (1) [noop] = noop (1) } # else else = noop (1) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (1) } # Post-Auth-Type REJECT = updated (1) Delaying response for 1 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (1) Sending delayed response (1) Sending Access-Reject packet to host 10.7.2.37 port 42049, id=134, length=0 Sending Access-Reject Id 134 from 10.7.0.28:1812 to 10.7.2.37:42049 Waking up in 3.9 seconds. (1) Cleaning up request packet ID 134 with timestamp +255 Ready to process requests