Hi everyone, I’m brand new and having an issue that I haven’t found a clear answer to. I’m running free radius 3.x on ubuntu server 18.10. I have LDAP enabled to auth to google secure LDAP. So far I’m binding to google successfully and with the radtest command my LDAP user gets access-accept. If I do raddest with -t mschap I get access-reject. I’m hoping that someone more experienced can point me in the right direction as to where I can fix the issue. Here’s a snippet of my log in -X mode. Thanks in advance to anyone that can help =================================================================================================================== rlm_ldap (ldap): Connecting to ldaps://ldap.google.com:636 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (15) [ldap] = ok (15) [expiration] = noop (15) [logintime] = noop (15) [pap] = noop (15) } # authorize = updated (15) Found Auth-Type = eap (15) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (15) authenticate { (15) eap: Expiring EAP session with state 0x53c912cb54220b41 (15) eap: Finished EAP session with state 0x313d43603170599a (15) eap: Previous EAP request found for state 0x313d43603170599a, released from the list (15) eap: Peer sent packet with method EAP MSCHAPv2 (26) (15) eap: Calling submodule eap_mschapv2 to process data (15) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (15) eap_mschapv2: authenticate { (15) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password (15) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password (15) mschap: Creating challenge hash with username: phil.grace@hssd.k12.ar.us (15) mschap: Client is using MS-CHAPv2 (15) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication (15) mschap: ERROR: MS-CHAP2-Response is incorrect (15) [mschap] = reject (15) } # authenticate = reject (15) eap: Sending EAP Failure (code 4) ID 77 length 4 (15) eap: Freeing handler (15) [eap] = reject (15) } # authenticate = reject (15) Failed to authenticate the user (15) Using Post-Auth-Type Reject (15) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (15) Post-Auth-Type REJECT { (15) attr_filter.access_reject: EXPAND %{User-Name} (15) attr_filter.access_reject: --> phil.grace@hssd.k12.ar.us (15) attr_filter.access_reject: Matched entry DEFAULT at line 11 (15) [attr_filter.access_reject] = updated (15) update outer.session-state { (15) &Module-Failure-Message := &request:Module-Failure-Message -> 'mschap: FAILED: No NT/LM-Password. Cannot perform authentication' (15) } # update outer.session-state = noop (15) } # Post-Auth-Type REJECT = updated (15) } # server inner-tunnel (15) Virtual server sending reply (15) MS-CHAP-Error = "ME=691 R=1 C=369d22d8c278cfa7667ff5d2ab0bf287 V=3 M=Authentication rejected" (15) EAP-Message = 0x044d0004 (15) Message-Authenticator = 0x00000000000000000000000000000000 (15) eap_peap: Got tunneled reply code 3 (15) eap_peap: MS-CHAP-Error = "ME=691 R=1 C=369d22d8c278cfa7667ff5d2ab0bf287 V=3 M=Authentication rejected" (15) eap_peap: EAP-Message = 0x044d0004 (15) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (15) eap_peap: Got tunneled reply RADIUS code 3 (15) eap_peap: MS-CHAP-Error = "ME=691 R=1 C=369d22d8c278cfa7667ff5d2ab0bf287 V=3 M=Authentication rejected" (15) eap_peap: EAP-Message = 0x044d0004 (15) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (15) eap_peap: Tunneled authentication was rejected (15) eap_peap: FAILURE (15) eap: Sending EAP Request (code 1) ID 78 length 46 (15) eap: EAP session adding &reply:State = 0x893d3c588e7325ea (15) [eap] = handled (15) } # authenticate = handled (15) Using Post-Auth-Type Challenge (15) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (15) Challenge { ... } # empty sub-section is ignored (15) session-state: Saving cached attributes (15) Module-Failure-Message := "mschap: FAILED: No NT/LM-Password. Cannot perform authentication" (15) Sent Access-Challenge Id 78 from 10.8.172.26:1812 to 10.8.173.105:38595 length 0 (15) EAP-Message = 0x014e002e1900170303002377d07beda30c6131207f85740de5138af7d4342329fb590ca32ddd8e781256a69c9a3a (15) Message-Authenticator = 0x00000000000000000000000000000000 (15) State = 0x893d3c588e7325ea93a4d1f0a45e4742 (15) Finished request Waking up in 3.4 seconds. (16) Received Access-Request Id 79 from 10.8.173.105:38595 to 10.8.172.26:1812 length 320 (16) User-Name = "phil.grace@hssd.k12.ar.us" (16) NAS-IP-Address = 10.8.173.105 (16) Called-Station-Id = "8A-15-54-AB-61-48:Faculty" (16) NAS-Port-Type = Wireless-802.11 (16) Service-Type = Framed-User (16) NAS-Port = 1 (16) Calling-Station-Id = "C8-3C-85-9C-A7-17" (16) Connect-Info = "CONNECT 54.00 Mbps, 802.11ac, RSSI: 26, Channel: 149" (16) Acct-Session-Id = "03D12019BACECB86" (16) WLAN-Pairwise-Cipher = 1027076 (16) WLAN-Group-Cipher = 1027074 (16) WLAN-AKM-Suite = 1027073 (16) Meraki-Device-Name = "Technology Dept" (16) Framed-MTU = 1400 (16) EAP-Message = 0x024e002e1900170303002321d3fee96f33295e5c79085340cadd61fe65772f5ac4bf4fb1b67c9346e8461e546cea (16) State = 0x893d3c588e7325ea93a4d1f0a45e4742 (16) Message-Authenticator = 0x36f2f741b4dbc208756af96049eeda54 (16) Restoring &session-state (16) &session-state:Module-Failure-Message := "mschap: FAILED: No NT/LM-Password. Cannot perform authentication" (16) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (16) authorize { (16) policy filter_username { (16) if (&User-Name) { (16) if (&User-Name) -> TRUE (16) if (&User-Name) { (16) if (&User-Name =~ / /) { (16) if (&User-Name =~ / /) -> FALSE (16) if (&User-Name =~ /@[^@]*@/ ) { (16) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (16) if (&User-Name =~ /\.\./ ) { (16) if (&User-Name =~ /\.\./ ) -> FALSE (16) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (16) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (16) if (&User-Name =~ /\.$/) { (16) if (&User-Name =~ /\.$/) -> FALSE (16) if (&User-Name =~ /@\./) { (16) if (&User-Name =~ /@\./) -> FALSE (16) } # if (&User-Name) = notfound (16) } # policy filter_username = notfound (16) [preprocess] = ok (16) [chap] = noop (16) [mschap] = noop (16) [digest] = noop (16) suffix: Checking for suffix after "@" (16) suffix: Looking up realm "hssd.k12.ar.us" for User-Name = "phil.grace@hssd.k12.ar.us" (16) suffix: No such realm "hssd.k12.ar.us" (16) [suffix] = noop (16) eap: Peer sent EAP Response (code 2) ID 78 length 46 (16) eap: Continuing tunnel setup (16) [eap] = ok (16) } # authorize = ok (16) Found Auth-Type = eap (16) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (16) authenticate { (16) eap: Expiring EAP session with state 0x53c912cb54220b41 (16) eap: Finished EAP session with state 0x893d3c588e7325ea (16) eap: Previous EAP request found for state 0x893d3c588e7325ea, released from the list (16) eap: Peer sent packet with method EAP PEAP (25) (16) eap: Calling submodule eap_peap to process data (16) eap_peap: Continuing EAP-TLS (16) eap_peap: [eaptls verify] = ok (16) eap_peap: Done initial handshake (16) eap_peap: [eaptls process] = ok (16) eap_peap: Session established. Decoding tunneled attributes (16) eap_peap: PEAP state send tlv failure (16) eap_peap: Received EAP-TLV response (16) eap_peap: ERROR: The users session was previously rejected: returning reject (again.) (16) eap_peap: This means you need to read the PREVIOUS messages in the debug output (16) eap_peap: to find out the reason why the user was rejected (16) eap_peap: Look for "reject" or "fail". Those earlier messages will tell you (16) eap_peap: what went wrong, and how to fix the problem (16) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed (16) eap: Sending EAP Failure (code 4) ID 78 length 4 (16) eap: Failed in EAP select (16) [eap] = invalid (16) } # authenticate = invalid (16) Failed to authenticate the user (16) Using Post-Auth-Type Reject (16) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (16) Post-Auth-Type REJECT { (16) attr_filter.access_reject: EXPAND %{User-Name} (16) attr_filter.access_reject: --> phil.grace@hssd.k12.ar.us (16) attr_filter.access_reject: Matched entry DEFAULT at line 11 (16) [attr_filter.access_reject] = updated (16) [eap] = noop (16) policy remove_reply_message_if_eap { (16) if (&reply:EAP-Message && &reply:Reply-Message) { (16) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (16) else { (16) [noop] = noop (16) } # else = noop (16) } # policy remove_reply_message_if_eap = noop (16) } # Post-Auth-Type REJECT = updated (16) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (16) Sending delayed response (16) Sent Access-Reject Id 79 from 10.8.172.26:1812 to 10.8.173.105:38595 length 44 (16) EAP-Message = 0x044e0004 (16) Message-Authenticator = 0x00000000000000000000000000000000 =================================================================================== Phil Grace Director of Technology Heber Springs School District phil.grace@hssd.k12.ar.us Arkansas LEA Rep to the NCES Forum National Center for Education Statistics https://nces.ed.gov/forum/