Hi, sorry for my first email wich was a bit short. Here is a new one with what I'd like to achieve, my conf and the server output. Thanks to everyone involved in helping me ! :) 1. WHAT I'D LIKE TO ACHIEVE : I'd like to allow authentification for our visitors by using the USERS file at the same time. WHen I add a local user, i receive an EAP/TLS error. First, I'd like to know if if it's even possible to do so. 2. MY SERVER CONFIGURATION /etc/freeradius/radiusd.conf max_requests = 38400 auth = yes auth_badpass = yes auth_badpass = yes /etc/freeradius/clients.conf ## RESEAU WIFI client IP/24 { secret = secretpwd shortname = brocaneurocampuswifi /etc/freeradius/users ## CREATION COMPTE TEST test Cleartext-Password := "test" Reply-Message = "Hello, %{User-Name}" /etc/freeradius/modules/ntlm_auth exec ntlm_auth { wait = yes program = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --password=%{User-Password}" } /etc/freeradius/sites-enabled/default and /etc/freeradius/sites-enabled/inner-tunnel authenticate { ntlm_auth ... } /etc/freeradius/users #DEFAULT Auth-Type = ntlm_auth freerad service freeradius stop usermod -a -G winbindd_priv freerad chown root:winbindd_priv /var/lib/samba/winbindd_privileged/ service freeradius start /etc/freeradius/modules/mschap with_ntdomain_hack = yes ... ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=DOMAIN_NAME --username=%{mschap:User-Name} --password=%{User-Password} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} " /etc/freeradius/eap.conf default_eap_type = peap ... default_eap_type = mschapv2 3. MY SERVER DEBUG WHEN I TRY TO CONNECT WITH AN ACCOUNT OF THE users files. (Connection with LDAP auth works fine on laptops, iphones, android phones) Ready to process requests. rad_recv: Access-Request packet from host xx.xx.xx.1 port 59771, id=108, length=364 User-Name = "host/HOSTNAME.DOMAIN" Chargeable-User-Identity = "\001" Location-Capable = Civix-Location Calling-Station-Id = "MACADDR" Called-Station-Id = "MACADDR:SSID" NAS-Port = 8 Cisco-AVPair = "audit-session-id=xxxxxxxxxxxxxxxxx" Acct-Session-Id = "ID/xx:xx:xx:xx:xx:xx/111111111" Cisco-AVPair = "mDNS=true" NAS-IP-Address = IP NAS-Identifier = "CiscoWLC" Airespace-Wlan-Id = 11 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "152" EAP-Message = 0x00000000000000000000000000000000aaaaaaaaaaa Message-Authenticator = 0x000000000000000000000 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "host/HOSTNAME.DOMAIN", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 2 length 38 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 108 to IP port 59771 EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x11111111111111111111111111111111111111111 Finished request 34. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host IP port 59771, id=109, length=510 User-Name = "host/HOSTNAME.DOMAIN" Chargeable-User-Identity = "\001" Location-Capable = Civix-Location Calling-Station-Id = "MACADDR" Called-Station-Id = "MACADDR:SSID" NAS-Port = 8 Cisco-AVPair = "audit-session-id=xxxxxxxxxxxxxxxxx" Acct-Session-Id = "" Cisco-AVPair = "mDNS=true" NAS-IP-Address = 172.31.10.1 NAS-Identifier = "CiscoWLC" Airespace-Wlan-Id = 11 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "152" EAP-Message = 0x00000000000000000000000000000000 State = Message-Authenticator = # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "host/HOSTNAME.DOMAIN", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 3 length 166 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 156 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0097], ClientHello [peap] TLS_accept: unknown state [peap] >>> TLS 1.0 Handshake [length 0039], ServerHello [peap] TLS_accept: unknown state [peap] >>> TLS 1.0 Handshake [length 02e4], Certificate [peap] TLS_accept: unknown state [peap] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange [peap] TLS_accept: unknown state [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: unknown state [peap] TLS_accept: unknown state [peap] TLS_accept: Need to read more data: unknown state In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 109 to 172.31.10.1 port 59771 EAP-Message = 0x00000000000000000000000000000000 EAP-Message = 0x00000000000000000000000000000000 EAP-Message = 0x00000000000000000000000000000000 EAP-Message = 0x00000000000000000000000000000000 EAP-Message = 0xbcfe187aaa8a11b59a0d6a57 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd8dcb87ed9d8a1265676698e87672627 Finished request 35. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.31.10.1 port 59771, id=110, length=350 User-Name = "host/HOSTNAME.DOMAIN" Chargeable-User-Identity = "\001" Location-Capable = Civix-Location Calling-Station-Id = "MACADDR" Called-Station-Id = "MACADDR:SSID" NAS-Port = 8 Cisco-AVPair = "audit-session-id=00000000000" Acct-Session-Id = "ID/xx:xx:xx:xx:xx:xx/111111111" Cisco-AVPair = "mDNS=true" NAS-IP-Address = 172.31.10.1 NAS-Identifier = "CiscoWLC" Airespace-Wlan-Id = 11 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "152" EAP-Message = 0x020400061900 State = 0xd8dcb87ed9d8a1265676698e87672627 Message-Authenticator = 0x84bbb2c96c1d5b5500daa8aa4c6e83f9 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "host/HOSTNAME.DOMAIN", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 110 to IP port 59771 EAP-Message = 0x00000000000000000000000000000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x00000000000000000000000000000000 Finished request 36. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.31.10.1 port 59771, id=111, length=361 User-Name = "host/HOSTNAME.DOMAIN" Chargeable-User-Identity = "\001" Location-Capable = Civix-Location Calling-Station-Id = "MACADDR" Called-Station-Id = "MACADDR:SSID" NAS-Port = 8 Cisco-AVPair = "audit-session-id=010a1fac007199dcc0f9bc5a" Acct-Session-Id = "ID/xx:xx:xx:xx:xx:xx/111111111" Cisco-AVPair = "mDNS=true" NAS-IP-Address = 172.31.10.1 NAS-Identifier = "CiscoWLC" Airespace-Wlan-Id = 11 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "152" EAP-Message = 0x000000000000000000000 State = 0x000000000000000000000 Message-Authenticator = 0x55471ef471cea67863dcad3682750cef # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "host/HOSTNAME.DOMAIN", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 5 length 17 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 7 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert read:fatal:unknown CA TLS_accept: failed in unknown state rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca SSL: SSL_read failed inside of TLS (-1), TLS session fails. TLS receive handshake failed during operation [peap] eaptls_process returned 4 [peap] EAPTLS_OTHERS [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] = invalid +} # group authenticate = invalid Failed to authenticate the user. Login incorrect (TLS Alert read:fatal:unknown CA): [host/HOSTNAME.DOMAIN/<via Auth-Type = EAP>] (from client client_name port 8 cli MACADDR) Using Post-Auth-Type REJECT # Executing group from file /etc/freeradius/sites-enabled/default +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> host/HOSTNAME.DOMAIN attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 37 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 37 Sending Access-Reject of id 111 to 172.31.10.1 port 59771 EAP-Message = 0x04050004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. Cleaning up request 34 ID 108 with timestamp +113 Cleaning up request 35 ID 109 with timestamp +113 Cleaning up request 36 ID 110 with timestamp +114 Waking up in 1.0 seconds. Cleaning up request 37 ID 111 with timestamp +114 Ready to process requests. -- Jean-François MONI Technicien Informatique Centre Broca Nouvelle-Aquitaine 146 rue Léo Saignat 33076 Bordeaux Cedex