Hi, I'm using freeRadius 2.0.3 on my WLAN. I have WindowsXP, WindowsVista and Apple (OSX) clients. Windows clients authenticate well with freeRadius but I have problems with OSX Leopard. I can't figure out where the problem originates from. I'm using MySQL, Cleartext-Passwords, PEAP auth, WPA-Enterprise, AES. The error that pops up while authenticating OSX is the following (see below for extended logs): Tue Jun 17 20:02:53 2008 : Error: TLS Alert read:warning:close notify Tue Jun 17 20:02:53 2008 : Auth: Login incorrect: [userX] (from client NAS1-WiFi port 8 cli 001c34c14d76) Does anybody have experience with OSX clients and freeRadius? Does anybody have a radiusd and eap configuration file which is known to work with OSX Leopard and could you post it to me? Ofcourse I realise that the problem could be with the AP (WAP54G) or the clients itself. I've done many hours of testing/reading though but can't figure out what's causing it. Ok, thanks for all your help! gr, Jelle Logs of "radiusd -X": -> As you can see I use a littlebit of a hacked version of the SQL implementation to use another MySQL table (integration with Lan Management System), but that shouldn't matter. As I said, other clients authenticate without problems. User-Name = "userX" NAS-IP-Address = 172.16.27.18 Called-Station-Id = "001a70abad32" Calling-Station-Id = "001b63c13f76" NAS-Identifier = "001a70abad32" NAS-Port = 8 Framed-MTU = 1400 State = 0xeb256c65e8d575619976542f479f49d4 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02f0002f1980000000251503010020c5ac7365546396895a7fb74e2ab11d3ec7a8f2de0a7c761fda82cbd9f1a99de2 Message-Authenticator = 0x2f90d0e5a8325a3bf379f1243dda8195 +- entering group authorize ++[preprocess] returns ok expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/172.16.27.18/auth-detail-20080617 rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/172.16.27.18/auth-detail-20080617 expand: %t -> Tue Jun 17 20:17:07 2008 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "userX", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 240 length 47 rlm_eap: Continuing tunnel setup. ++[eap] returns ok expand: %{User-Name} -> userX rlm_sql (sql): sql_set_user escaped user --> 'userX' rlm_sql (sql): Reserving sql socket id: 0 expand: SELECT ownerid as id, username, 'Cleartext-Password' as attribute, passwd as value, ':=' as op FROM nodes WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT ownerid as id, username, 'Cleartext-Password' as attribute, passwd as value, ':=' as op FROM nodes WHERE username = 'userX' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT ownerid as id, username, 'Cleartext-Password' as attribute, passwd as value, ':=' as op FROM nodes WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT ownerid as id, username, 'Cleartext-Password' as attribute, passwd as value, ':=' as op FROM nodes WHERE username = 'userX' ORDER BY id expand: SELECT 'dynamic' as groupname FROM customers WHERE name = '%{SQL-User-Name}' ORDER BY id -> SELECT 'dynamic' as groupname FROM customers WHERE name = 'userX' ORDER BY id rlm_sql (sql): Released sql socket id: 0 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS TLS Length 37 rlm_eap_tls: Length Included eaptls_verify returned 11 eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], warning close_notify TLS Alert read:warning:close notify SSL Connection Established rlm_eap_tls: Application Data rlm_eap_peap: Tunneled data is invalid. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select ++[eap] returns invalid auth: Failed to validate the user. Login incorrect: [userX/<via Auth-Type = EAP>] (from client NAS1-WiFi port 8 cli 001b63c13f76) Delaying reject of request 9 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 9 EAP-Message = 0x04f00004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 4.9 seconds. Cleaning up request 9 ID 0 with timestamp +33