Hi I have a problem: 1. The ldap don't replace(expand) the calling-station-id to the mac address, just one time(first) first time: [ldap] expand: (&(employeeType=TRUE)(cn=%{Stripped-User-Name:-%{User-Name}})(macAddress=%{Calling-Station-Id})) -> (&(employeeType=TRUE)(cn=test)(macAddress=0000.a8bb.4444)) next time: [ldap] expand: (&(employeeType=TRUE)(cn=%{Stripped-User-Name:-%{User-Name}})(macAddress=%{Calling-Station-Id})) -> (&(employeeType=TRUE)(cn=test)(macAddress=)) no mac address expanded I have tried %i, but not worked (expanded it to macAddress=_ ??? 2. If i use EAP-PEAP + LDAP(cleartext password) works everything. (def_eap_type=peap) but I want to store the password md5 format in the ldap, what have to change, what is the solution? Really thank you! Gabor here is the debug: rad_recv: Access-Request packet from host 192.168.1.22 port 1645, id=186, length=128 User-Name = "test" Framed-MTU = 1400 Called-Station-Id = "0000.a8bb.4444" Calling-Station-Id = "0000.a8bb.4444" Service-Type = Login-User Message-Authenticator = 0x062b1cef262b3e644dc7ccf73c2 EAP-Message = 0x0202000174657374 NAS-Port-Type = Wireless-802.11 NAS-Port = 1341 NAS-IP-Address = 192.168.1.22 NAS-Identifier = "AP-******" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 9 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [ldap] performing user authorization for test [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] expand: (&(employeeType=TRUE)(cn=%{Stripped-User-Name:-%{User-Name}})(macAddress=%{Calling-Station-Id})) -> (&(employeeType=TRUE)(cn=test)(macAddress=0000.a8bb.4444)) [ldap] expand: ou=users,ou=wireless,dc=test,dc=hu -> ou=users,ou=wireless,dc=test,dc=hu rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0 rlm_ldap: bind as cn=admin,dc=test,dc=hu to 127.0.0.1:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=users,ou=wireless,dc=test,dc=hu, with filter (&(employeeType=TRUE)(cn=test)(macAddress=0000.a8bb.4444)) [ldap] Added User-Password = test in check items [ldap] looking for check items in directory... rlm_ldap: macAddress -> Calling-Station-Id == "0000.a8bb.4444" [ldap] looking for reply items in directory... [ldap] user test authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 186 to 192.168.1.22 port 1645 EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x21edcefb21eed7bf189571f209151db8 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.22 port 1645, id=187, length=217 User-Name = "test" Framed-MTU = 1400 Called-Station-Id = "0000.a8bb.4444" Calling-Station-Id = "0000.a8bb.4444" Service-Type = Login-User Message-Authenticator = 0x34321379ca3695c51b5ebd770 EAP-Message = 0x0203005019800000004616030100410d030149804ef1e846e0c547f88e3054cbee268ce2b4178c7bc8134b949771a2debdae00001600040005000a0009640062000300060013001200630100 NAS-Port-Type = Wireless-802.11 NAS-Port = 1341 State = 0x21edcefb21eed7bf189571f209151db8 NAS-IP-Address = 192.168.1.22 NAS-Identifier = "AP-******" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 70 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0041], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 085e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 187 to 192.168.1.22 port 1645 EAP-Message = 0x0104040019c00000089b160301002a02000026030149804eb2858d10f17f4191308ec2be88f30915e2fcd1a2e391f4914c7c6d10ff000004001603010b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c457861706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479 EAP-Message = 0x301e170d3039303132373136323631305a170d3130303132373136323631305a307c310b3009060355040613024652310f300d06035504081306526164697573311530130655040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c652053657276657220436576669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100a2dd30f783fedc0ebb06606a9b8ae089768200bf67c5bf9c11f4cb6ceb75e791b149f370e491be2231ad424449e2c78bdb8d38c1159f78dedfb3507346b9 EAP-Message = 0x2072ee1914779b5c41ef3e1655241282fcb585ceb610d2805cf17cf804618d5817af59bebd15600037f728a8ee77bb037f86ef8ee833fc752992dae041cc7ccceef1c68fe577273ab4890ba75b1cc5a681609187ea3d0adb654c5ca4651af30c925cadb2efb859f696f8e53969b8f30379fe1095bfcb6713d750b9fc3a775b0f2531e6a9705400d00ec85e690fe7a7682290c5588ba15bc3da2a4b4ff8141c168c98ab79615734eb0e2e1e26769c0e22581f4eda365fba7701caadd6a5bbbe73490203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000382010100cf12958cc07c7de95c EAP-Message = 0xd176d4d452bdd684a169b50b57a247bdf802a7ff11955f409c7668f5565e369af83ea738359a3bb15e5a40dc7794084cddab8743d7cbe7f0ad93e6672279c25640a575482b5591366cac64e3ec424c2679a0a4d59d2727f3bc4bf68b113d4e4edfee756b077fc7e51222fb4d7e6be43cb2b306ff561e69075a3d70560c90ece9970cc1bb230c450e77db5e0c1c164aa0b4be10c3f7226361f491b7171fc2dd07948d0c634751d2d3700ac600be9969e3f6a05c8bef043cd2035410ad4a96fcd7dfd46f70b803907c8c976b39a01f8c7eb961b4015415b533b749ee5e7c711192f06506190eedcd6c46d08bc062ee9ed071c50004ab308204 EAP-Message = 0xa73082038fa0030201020209 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x21edcefb20e9d7bf189571f209151db8 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.22 port 1645, id=188, length=143 User-Name = "test" Framed-MTU = 1400 Called-Station-Id = "0000.a8bb.4444" Calling-Station-Id = "0000.a8bb.4444" Service-Type = Login-User Message-Authenticator = 0x6bb7e77a4ec227c2822c42f2b1e6fb EAP-Message = 0x02040061900 NAS-Port-Type = Wireless-802.11 NAS-Port = 1341 State = 0x21edcefb20e9d7b9571f209151db8 NAS-IP-Address = 192.168.1.22 NAS-Identifier = "AP-******" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 188 to 192.168.1.22 port 1645 EAP-Message = 0x010503fc194000e9429c938605a22c300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d06035504081306526164697573311230106035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c652043657274696669636174417574686f72697479301e170d3039303132373136323631305a170d3130303132373136323631305a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504 EAP-Message = 0x071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a64886f70d01010105000382010f003082010a0282010100f2747f57bce4bf59d6cc942ac7387d2f81376ad5816d04c8d1ab6091430e895910745313f01c53f4720d43c05ac1287ea26d475826eac158d43a21767296fdd0349d9de9ada5083ff3ee31a254b1f993b21d1e1bed840b241b803bc13546c1789cab52f5865ca4084b74bffe5c1de3 EAP-Message = 0xa3dd190a240f1d1f2104a24e12cb39294ff54a637067da075784279d43072f8e2fe418393ac9f88027076446e612a7dccf08d7cc5d94b9a66ba49d2adb50d1535e6a2389170972f6e66aa09171c47628b409efbe0b0bfcccf8046847b789d80e1f5e1138b7392298b137e6cbb6c8f56952763ce06db19da6cca226cf535352b098764f6ee6bd59ac4ed1ac77909a370203010001a381fb3081f8301d0603551d0e041604140f3428d285dfc3e4e181d546dd066bd5453011b83081c80603551d230481c03081bd80140f3428d285dfc3e4e181d546dd066bd5453011b8a18199a48196308193310b3009060355040613024652310f300d06035504 EAP-Message = 0x0813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c652043657274696669636146520417574686f72697479820900e9429c938605a22c300c0603551d13040530030101ff300d06092a864886f70d010105050003820106c25ddea16db6b8d5117091ec64bd79f6c19096eade754cd0d43e34b4883ff7b82b90e9eaf308ed2e362c077a2578f101f024417255592904c8e8111c05e663eb76192d39e9b28facdef1e303f846edd7901 EAP-Message = 0x0b07e3d810b8d8c2 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x21edcefb23e8d7bf189571f209151db8 Finished request 2. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.168.1.22 port 1645, id=189, length=143 User-Name = "test" Framed-MTU = 1400 Called-Station-Id = "0000.a8bb.4444" Calling-Station-Id = "0000.a8bb.4444" Service-Type = Login-User Message-Authenticator = 0x226fc7ada2d285c32d24f720d407d7e EAP-Message = 0x02050001900 NAS-Port-Type = Wireless-802.11 NAS-Port = 1341 State = 0x21edcefb23e8d7bf189571209151db8 NAS-IP-Address = 192.168.1.22 NAS-Identifier = "*******" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 189 to 192.168.1.22 port 1645 EAP-Message = 0x010600b519003c537c032bb8e8953323bf2374ab386acf14170329724c3d9d72cf93b571123a19fa0b46a87f35e95604131e43eb082e5c7c546f948a8ef904f192ad2d93a6b5dabf5ff168241cdc993ad54d976fac81ac947960a16e88ec141447d5dcd5c79a79b0d2ab3104d3362b2c5f8ff3ce42b764d8a9ca3afa2eb0428df7f12202e89964afc55771f78990d0064be81a844c38d19802bdacc6c5dbfd07bad558ab25778082a5216030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x21edcefb22ebd7bf189571f209151db8 Finished request 3. Going to the next request Waking up in 4.6 seconds. rad_recv: Access-Request packet from host 192.168.1.22 port 1645, id=190, length=459 User-Name = "test" Framed-MTU = 1400 Called-Station-Id = "0000.a8bb.4444" Calling-Station-Id = "0000.a8bb.4444" Service-Type = Login-User Message-Authenticator = 0xcfe5abdbf0680775672a33a6bef960df EAP-Message = 0x020601401980000001361603010106100001020100436c901d963c492c7126dcf2905925f1f95b5603f7f35425d54e4ae49498269e741de850e38fceedd56d39f39be7c801b9da1b4b1a5f9659e5cb8c38bd22386b370bd7ee0129d83f8e292d576e00ea268bd316e4dcc26e7350f7ca207518e587a006c7f02c57f5d45a3322d1864861e09f489809447afd3a64318438e28700d3ef5fdbe0c41d2e5b66d97bbb398c8fd96919c622e7838f471be47afe0246e3bffbfdc47729dc02d48fbe954a3da20c8f9aecba1911ce290f9edcbd2222cc95437e988ef47ada57df84d30d6a9612475633e0a69626f5ea77fbec9fac499a82b3d7f5d7c731538 EAP-Message = 0x101284b8f3ca2a43d3211ade7b0df34add279c4f1ebc8514030100010116030100203292e0157ed35685cc9b7f7171db2186455072f09696152447fd775064ef5c75 NAS-Port-Type = Wireless-802.11 NAS-Port = 1341 State = 0x21edcefb22ebd7bf189571f209151db8 NAS-IP-Address = 192.168.1.22 NAS-Identifier = "AP-C1231G" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 310 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 190 to 192.168.1.22 port 1645 EAP-Message = 0x01070031190014030100010116030100208216893c34c5a181fba86ab16939b371b832cdbcc9790fc9a323e8b7b831d205 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x21edcefb25ead7bf189571f209151db8 Finished request 4. Going to the next request Waking up in 4.5 seconds. rad_recv: Access-Request packet from host 192.168.1.22 port 1645, id=191, length=143 User-Name = "test" Framed-MTU = 1400 Called-Station-Id = "0000.a8bb.4444" Calling-Station-Id = "0000.a8bb.4444" Service-Type = Login-User Message-Authenticator = 0xef924dab21994165f9c7f26bcc9c74 EAP-Message = 0x0207061900 NAS-Port-Type = Wireless-802.11 NAS-Port = 1341 State = 0x21edcefb25ead7bf189571f209151db8 NAS-IP-Address = 192.168.1.22 NAS-Identifier = "AP-C1231G" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 191 to 192.168.1.22 port 1645 EAP-Message = 0x01080020190003010015411f57ba89d6fd6a04a64468de35f449bfb3723b9d Message-Authenticator = 0x000000000000000000000000000000 State = 0x21edcefb24e5d7bf189571f209151db8 Finished request 5. Going to the next request Waking up in 4.4 seconds. rad_recv: Access-Request packet from host 192.168.1.22 port 1645, id=192, length=169 User-Name = "test" Framed-MTU = 1400 Called-Station-Id = "0000.a8bb.4444" Calling-Station-Id = "0000.a8bb.4444" Service-Type = Login-User Message-Authenticator = 0xc06d4852b31e35efeba025235c053 EAP-Message = 0x0208002019001703311c3baa66e04048fec693e9893f1a7e211aaa805a NAS-Port-Type = Wireless-802.11 NAS-Port = 1341 State = 0x21edcefb24e5d7bf189571f209151db8 NAS-IP-Address = 192.168.1.22 NAS-Identifier = "AP-C1231G" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 32 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Identity - test [peap] Got tunneled request EAP-Message = 0x020800090174657374 server { PEAP: Got tunneled identity of test PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to test Sending tunneled request EAP-Message = 0x020800090174657374 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "test" server { +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 9 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [ldap] performing user authorization for test [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] expand: (&(employeeType=TRUE)(cn=%{Stripped-User-Name:-%{User-Name}})(macAddress=%{Calling-Station-Id})) -> (&(employeeType=TRUE)(cn=test)(macAddress=)) [ldap] expand: ou=users,ou=wireless,dc=test,dc=hu -> ou=users,ou=wireless,dc=test,dc=hu rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=users,ou=wireless,dc=test,dc=hu, with filter (&(employeeType=TRUE)(cn=test)(macAddress=)) rlm_ldap: object not found or got ambiguous search result [ldap] search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns notfound ++[expiration] returns noop ++[logintime] returns noop