I'm working to setup a FreeRADIUS server to authenticate our users for Wifi connectivity. I've read a bunch of documentation and followed many different guides, but things aren't coming together. On the FR server when I run radtest, I'm seeing the following: radtest brian.testing@digitalturbine.com <redacted> localhost 1812 testing123 Sent Access-Request Id 212 from 0.0.0.0:47042 to 127.0.0.1:1812 length 102 User-Name = "brian.testing@digitalturbine.com" User-Password = "<redacted>" NAS-IP-Address = 10.255.1.105 NAS-Port = 1812 Message-Authenticator = 0x00 Cleartext-Password = "<redacted>" Received Access-Reject Id 212 from 127.0.0.1:1812 to 127.0.0.1:47042 length 20 (0) -: Expected Access-Accept got Access-Reject Obviously something must not be right in my configuration. If I go to the freeradius -X screen I see the following: Ready to process requests (1) Received Access-Request Id 212 from 127.0.0.1:47042 to 127.0.0.1:1812 length 102 (1) User-Name = "brian.testing@digitalturbine.com" (1) User-Password = "<redacted>" (1) NAS-IP-Address = 10.255.1.105 (1) NAS-Port = 1812 (1) Message-Authenticator = 0x816dbf275b3973f411280b940d311f82 (1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (1) auth_log: --> /var/log/freeradius/radacct/ 127.0.0.1/auth-detail-20240319 (1) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20240319 (1) auth_log: EXPAND %t (1) auth_log: --> Tue Mar 19 16:47:00 2024 (1) [auth_log] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: Looking up realm "digitalturbine.com" for User-Name = " brian.testing@digitalturbine.com" (1) suffix: No such realm "digitalturbine.com" (1) [suffix] = noop (1) eap: No EAP-Message, not doing EAP (1) [eap] = noop (1) [files] = noop rlm_ldap (ldap): Reserved connection (0) (1) ldap: EXPAND (&(objectClass=user)(uid=:%{User-Name}})(memberOf:1.2.840.113556.1.4.1941:=cn=group,dc=digitalturbine,dc=okta,dc=com)) (1) ldap: --> (&(objectClass=user)(uid=:brian.testing@digitalturbine.com })(memberOf:1.2.840.113556.1.4.1941:=cn=group,dc=digitalturbine,dc=okta,dc=com)) (1) ldap: Performing search in "ou=users,dc=digitalturbine,dc=okta,dc=com" with filter "(&(objectClass=user)(uid=:brian.testing@digitalturbine.com})(memberOf:1.2.840.113556.1.4.1941:=cn=group,dc=digitalturbine,dc=okta,dc=com))", scope "sub" (1) ldap: Waiting for search result... rlm_ldap (ldap): Reconnecting (0) rlm_ldap (ldap): Connecting to ldaps://digitalturbine.ldap.okta.com:636 rlm_ldap (ldap): Waiting for bind result... ber_get_next failed, errno=11. rlm_ldap (ldap): Bind successful (1) ldap: WARNING: Search failed: Can't contact LDAP server. Got new socket, retrying... (1) ldap: Waiting for search result... (1) ldap: ERROR: Failed performing search: Unknown error rlm_ldap (ldap): Released connection (0) Need 1 more connections to reach min connections (3) Need more connections to reach 10 spares rlm_ldap (ldap): Opening additional connection (6), 1 of 30 pending slots used rlm_ldap (ldap): Connecting to ldaps://digitalturbine.ldap.okta.com:636 rlm_ldap (ldap): Waiting for bind result... ber_get_next failed, errno=11. rlm_ldap (ldap): Bind successful rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): Closing expired connection (5) - Hit idle_timeout limit (1) [ldap] = fail (1) } # authorize = fail (1) Using Post-Auth-Type Reject (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) Post-Auth-Type REJECT { (1) attr_filter.access_reject: EXPAND %{User-Name} (1) attr_filter.access_reject: --> brian.testing@digitalturbine.com (1) attr_filter.access_reject: Matched entry DEFAULT at line 11 (1) [attr_filter.access_reject] = updated (1) [eap] = noop (1) policy remove_reply_message_if_eap { (1) if (&reply:EAP-Message && &reply:Reply-Message) { (1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (1) else { (1) [noop] = noop (1) } # else = noop (1) } # policy remove_reply_message_if_eap = noop (1) } # Post-Auth-Type REJECT = updated (1) Delaying response for 1.000000 seconds Waking up in 0.9 seconds. (1) Sending delayed response (1) Sent Access-Reject Id 212 from 127.0.0.1:1812 to 127.0.0.1:47042 length 20 Waking up in 3.9 seconds. (1) Cleaning up request packet ID 212 with timestamp +11949 due to cleanup_delay was reached Ready to process requests First thing I see is "Looking up Realm" and "No such Realm." I have not defined realm anywhere as the documentation points to this being needed for Proxy and I'm not using a proxy. Next I'm seeing a lot of "ber_get_next failed, errno=11" errors with the rtm_ldap. I do eventually see the "bind successful" message. Then comes the following: (1) ldap: WARNING: Search failed: Can't contact LDAP server. Got new socket, retrying... (1) ldap: Waiting for search result... (1) ldap: ERROR: Failed performing search: Unknown error rlm_ldap (ldap): Released connection (0) Not sure why it can't connect to LDAP server or why the search is failing. An ldapsearch at the command line does connect to the LDAP server and will show me info: ldapsearch -x \ -H ldaps://digitalturbine.ldap.okta.com \ -D "uid=jamf.service@digitalturbine.com,ou=users,dc=digitalturbine,dc=okta,dc=com" \ -W \ -b dc=digitalturbine,dc=okta,dc=com \ uid=brian.testing@digitalturbine.com \* + Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=digitalturbine,dc=okta,dc=com> with scope subtree # filter: uid=brian.testing@digitalturbine.com # requesting: * + # # brian.testing@digitalturbine.com, users, digitalturbine.okta.com dn: uid=brian.testing@digitalturbine.com ,ou=users,dc=digitalturbine,dc=okta,dc =com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson uid: brian.testing@digitalturbine.com uniqueIdentifier: 00u97lgr7yx8L83Ko696 organizationalStatus: ACTIVE givenName: Brian sn: Testing cn: Brian Testing mail: brian.testing@digitalturbine.com displayName: Brian Testing title: Testor # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 So not quite sure what I'm missing. Any help you can give is very appreciative.