Alan, please do not get angry ok?, The line in my answer about the "sarcastical reply" was for Alexander, not for you. Note: WIFIDATA & WIFIVOIP do 802.1x EAP+mschapv2 ok. Here're the logs: First authentication -------------------------- (...) Listening on authentication interface eth0 address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.0.0.1port 32770, id=29, length=95 User-Name = "0019B976CC36" User-Password = "0019B976CC36" NAS-IP-Address = 10.0.0.1 Service-Type = Login-User Calling-Station-Id = "00-19-B9-76-CC-36" NAS-Port-Id = "2:18" NAS-Port-Type = Ethernet +- entering group authorize {...} [preprocess] expand: %{NAS-Port-Id} -> 2:18 ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.0.0.1/auth-detail-20110331 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.0.0.1/auth-detail-20110331 [auth_log] expand: %t -> Thu Mar 31 11:31:09 2011 ++[auth_log] returns ok ++- entering policy rewrite_calling_station_id {...} +++? if (request:Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0 -9a-f]{2})[-:]?([0-9a-f]{2})/i) ? Evaluating (request:Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0 -9a-f]{2})[-:]?([0-9a-f]{2})/i) -> TRUE +++? if (request:Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0 -9a-f]{2})[-:]?([0-9a-f]{2})/i) -> TRUE +++- entering if (request:Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0 -9a-f]{2})[-:]?([0-9a-f]{2})/i) {...} expand: %{1}%{2}%{3}%{4}%{5}%{6} -> 0019B976CC36 ++++[request] returns ok +++- if (request:Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0 -9a-f]{2})[-:]?([0-9a-f]{2})/i) returns ok +++ ... skipping else for request 0: Preceding "if" was taken ++- policy rewrite_calling_station_id returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "0019B976CC36", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] No '\' in User-Name = "0019B976CC36", looking up realm NULL [ntdomain] No such realm "NULL" ++[ntdomain] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [VOIP] - ldap_xlat [files] expand: ldap:///ou=VOIP,ou=VLANS,ou=Radius,dc=machine,dc=com?uid?one?uid=%i -> ldap:///ou=VOIP,ou=VLANS,ou=Radius,dc=machine,dc=com?uid?one?uid=0019B976CC3 6 [VOIP] ldap_get_conn: Checking Id: 0 [VOIP] ldap_get_conn: Got Id: 0 [VOIP] attempting LDAP reconnection [VOIP] (re)connect to 127.0.0.1:389, authentication 0 [VOIP] bind as cn=Manager,dc=machine,dc=com/mypassword to 127.0.0.1:389 [VOIP] waiting for bind result ... [VOIP] Bind was successful [VOIP] performing search in ou=VOIP,ou=VLANS,ou=Radius,dc=machine,dc=com, with filter uid=0019B976CC36 [VOIP] object not found [VOIP] Search returned not found [VOIP] ldap_release_conn: Release Id: 0 [files] expand: %{VOIP:ldap:///ou=VOIP,ou=VLANS,ou=Radius,dc=machine,dc=com?uid?one?uid=%i} -> [WIFIVOIP] - ldap_xlat [files] expand: ldap:///ou=WifiVoip,ou=VLANS,ou=Radius,dc=machine,dc=com?uid?one?uid=%i -> ldap:///ou=WifiVoip,ou=VLANS,ou=Radius,dc=machine,dc=com?uid?one?uid=0019B97 6CC36 [WIFIVOIP] ldap_get_conn: Checking Id: 0 [WIFIVOIP] ldap_get_conn: Got Id: 0 [WIFIVOIP] attempting LDAP reconnection [WIFIVOIP] (re)connect to 127.0.0.1:389, authentication 0 [WIFIVOIP] bind as cn=Manager,dc=machine,dc=com/mypassword to 127.0.0.1:389 [WIFIVOIP] waiting for bind result ... [WIFIVOIP] Bind was successful [WIFIVOIP] performing search in ou=WifiVoip,ou=VLANS,ou=Radius,dc=machine,dc=com, with filter uid=0019B976CC36 [WIFIVOIP] object not found [WIFIVOIP] Search returned not found [WIFIVOIP] ldap_release_conn: Release Id: 0 [files] expand: %{WIFIVOIP:ldap:///ou=WifiVoip,ou=VLANS,ou=Radius,dc=machine,dc=com?uid?one? uid=%i} -> [WIFIDATA] - ldap_xlat [files] expand: ldap:///ou=WifiData,ou=VLANS,ou=Radius,dc=machine,dc=com?uid?one?uid=%i -> ldap:///ou=WifiData,ou=VLANS,ou=Radius,dc=machine,dc=com?uid?one?uid=0019B97 6CC36 [WIFIDATA] ldap_get_conn: Checking Id: 0 [WIFIDATA] ldap_get_conn: Got Id: 0 [WIFIDATA] attempting LDAP reconnection [WIFIDATA] (re)connect to 127.0.0.1:389, authentication 0 [WIFIDATA] bind as cn=Manager,dc=machine,dc=com/mypassword to 127.0.0.1:389 [WIFIDATA] waiting for bind result ... [WIFIDATA] Bind was successful [WIFIDATA] performing search in ou=WifiData,ou=VLANS,ou=Radius,dc=machine,dc=com, with filter uid=0019B976CC36 [WIFIDATA] object not found [WIFIDATA] Search returned not found [WIFIDATA] ldap_release_conn: Release Id: 0 [files] expand: %{WIFIDATA:ldap:///ou=WifiData,ou=VLANS,ou=Radius,dc=machine,dc=com?uid?one? uid=%i} -> [STAFF] - ldap_xlat [files] expand: ldap:///ou=Staff,ou=VLANS,ou=Radius,dc=machine,dc=com?uid?one?uid=%i -> ldap:///ou=Staff,ou=VLANS,ou=Radius,dc=machine,dc=com?uid?one?uid=0019B976CC 36 [STAFF] ldap_get_conn: Checking Id: 0 [STAFF] ldap_get_conn: Got Id: 0 [STAFF] attempting LDAP reconnection [STAFF] (re)connect to 127.0.0.1:389, authentication 0 [STAFF] bind as cn=Manager,dc=machine,dc=com/mypassword to 127.0.0.1:389 [STAFF] waiting for bind result ... [STAFF] Bind was successful [STAFF] performing search in ou=Staff,ou=VLANS,ou=Radius,dc=machine,dc=com, with filter uid=0019B976CC36 [STAFF] Adding attribute uid, value: 0019B976CC36 [STAFF] ldap_release_conn: Release Id: 0 [STAFF] - ldap_xlat end [files] expand: %{STAFF:ldap:///ou=Staff,ou=VLANS,ou=Radius,dc=machine,dc=com?uid?one?uid=%i } -> 0019B976CC36 [files] users: Matched entry DEFAULT at line 219 ++[files] returns ok Found Auth-Type = STAFF +- entering group STAFF {...} [STAFF] login attempt by "0019B976CC36" with password "0019B976CC36" [STAFF] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [STAFF] ... expanding second conditional [STAFF] expand: %{User-Name} -> 0019B976CC36 [STAFF] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=0019B976CC36) [STAFF] expand: ou=Staff,ou=VLANS,ou=Radius,dc=machine,dc=com -> ou=Staff,ou=VLANS,ou=Radius,dc=machine,dc=com [STAFF] ldap_get_conn: Checking Id: 0 [STAFF] ldap_get_conn: Got Id: 0 [STAFF] performing search in ou=Staff,ou=VLANS,ou=Radius,dc=machine,dc=com, with filter (uid=0019B976CC36) [STAFF] ldap_release_conn: Release Id: 0 [STAFF] user DN: uid=0019B976CC36,ou=Staff,ou=VLANS,ou=Radius,dc=machine,dc=com [STAFF] (re)connect to 127.0.0.1:389, authentication 1 [STAFF] bind as uid=0019B976CC36,ou=Staff,ou=VLANS,ou=Radius,dc=machine,dc=com/0019B976CC36 to 127.0.0.1:389 [STAFF] waiting for bind result ... [STAFF] Bind was successful [STAFF] user 0019B976CC36 authenticated succesfully ++[STAFF] returns ok Login OK: [0019B976CC36] (from client OFF-Staff-extreme-network port 0 cli 0019B976CC36) +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 29 to 10.0.0.1port 32770 Extreme-Netlogin-Only = Enabled Extreme-CLI-Authorization = Disabled Extreme-Netlogin-Vlan = "Staff" Reply-Message = "OK: STAFF user+device (%u %i) accepted." Termination-Action = RADIUS-Request Session-Timeout = 3600 Finished request 0. Going to the next request Waking up in 9.9 seconds. rad_recv: Accounting-Request packet from host 10.0.0.1port 32771, id=11, length=114 Acct-Status-Type = Start User-Name = "0019B976CC36" NAS-IP-Address = 10.0.0.1 Acct-Session-Id = "Thu Mar 31, 2011 10:27:11" Service-Type = Login-User NAS-Port = 2018 NAS-Port-Type = Ethernet Tunnel-Private-Group-Id:0 = "4000" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Acct-Delay-Time = 0 +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 2018,Client-IP-Address = 10.0.0.1,NAS-IP-Address = 10.0.0.1,Acct-Session-Id = "Thu Mar 31, 2011 10:27:11",User-Name = "0019B976CC36"' [acct_unique] Acct-Unique-Session-ID = "1018b7c0059e059b". ++[acct_unique] returns ok [suffix] No '@' in User-Name = "0019B976CC36", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] No '\' in User-Name = "0019B976CC36", looking up realm NULL [ntdomain] No such realm "NULL" ++[ntdomain] returns noop ++[files] returns noop +- entering group accounting {...} [detail] expand: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -> /var/log/radius/radacct/10.0.0.1/detail-20110331 [detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radius/radacct/10.0.0.1/detail-20110331 [detail] expand: %t -> Thu Mar 31 11:31:09 2011 ++[detail] returns ok [radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp [radutmp] expand: %{User-Name} -> 0019B976CC36 ++[radutmp] returns ok [attr_filter.accounting_response] expand: %{User-Name} -> 0019B976CC36 attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] returns updated Sending Accounting-Response of id 11 to 10.0.0.1port 32771 Finished request 1. Cleaning up request 1 ID 11 with timestamp +5 Going to the next request Waking up in 9.9 seconds. Cleaning up request 0 ID 29 with timestamp +5 Ready to process requests. ----------------SECOND AUTHENTICATION ------------------ rad_recv: Access-Request packet from host 10.0.0.1port 32770, id=30, length=95 User-Name = "0026B9692F6F" User-Password = "0026B9692F6F" NAS-IP-Address = 10.0.0.1 Service-Type = Login-User Calling-Station-Id = "00-26-B9-69-2F-6F" NAS-Port-Id = "2:35" NAS-Port-Type = Ethernet +- entering group authorize {...} [preprocess] expand: %{NAS-Port-Id} -> 2:35 ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.0.0.1/auth-detail-20110331 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.0.0.1/auth-detail-20110331 [auth_log] expand: %t -> Thu Mar 31 11:32:15 2011 ++[auth_log] returns ok ++- entering policy rewrite_calling_station_id {...} +++? if (request:Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0 -9a-f]{2})[-:]?([0-9a-f]{2})/i) ? Evaluating (request:Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0 -9a-f]{2})[-:]?([0-9a-f]{2})/i) -> TRUE +++? if (request:Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0 -9a-f]{2})[-:]?([0-9a-f]{2})/i) -> TRUE +++- entering if (request:Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0 -9a-f]{2})[-:]?([0-9a-f]{2})/i) {...} expand: %{1}%{2}%{3}%{4}%{5}%{6} -> 0026B9692F6F ++++[request] returns ok +++- if (request:Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0 -9a-f]{2})[-:]?([0-9a-f]{2})/i) returns ok +++ ... skipping else for request 2: Preceding "if" was taken ++- policy rewrite_calling_station_id returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "0026B9692F6F", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] No '\' in User-Name = "0026B9692F6F", looking up realm NULL [ntdomain] No such realm "NULL" ++[ntdomain] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [STAFF2] - ldap_xlat [files] expand: ldap:///ou=Staff2,ou=VLANS,ou=Radius,dc=machine,dc=com?uid?one?uid=%i -> ldap:///ou=Staff2,ou=VLANS,ou=Radius,dc=machine,dc=com?uid?one?uid=0026B9692 F6F [STAFF2] ldap_get_conn: Checking Id: 0 [STAFF2] ldap_get_conn: Got Id: 0 [STAFF2] attempting LDAP reconnection [STAFF2] (re)connect to 127.0.0.1:389, authentication 0 [STAFF2] bind as cn=Manager,dc=machine,dc=com/mypassword to 127.0.0.1:389 [STAFF2] waiting for bind result ... [STAFF2] Bind was successful [STAFF2] performing search in ou=Staff2,ou=VLANS,ou=Radius,dc=machine,dc=com, with filter uid=0026B9692F6F [STAFF2] object not found [STAFF2] Search returned not found [STAFF2] ldap_release_conn: Release Id: 0 [files] expand: %{STAFF2:ldap:///ou=Staff2,ou=VLANS,ou=Radius,dc=machine,dc=com?uid?one?uid= %i} -> [files] users: Matched entry DEFAULT at line 261 ++[files] returns ok Found Auth-Type = Reject Auth-Type = Reject, rejecting user Failed to authenticate the user. Login incorrect: [0026B9692F6F] (from client OFF-Staff-extreme-network port 0 cli 0026B9692F6F) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> 0026B9692F6F attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 2 for 2 seconds Going to the next request Waking up in 0.9 seconds. Waking up in 0.9 seconds. Sending delayed reject for request 2 Sending Access-Reject of id 30 to 10.0.0.1port 32770 Reply-Message = "FAIL: REJECTED. Please call the helpdesk." Waking up in 9.9 seconds.