Hi, so i changed like in the description, see the Text below, and it workes fine with eap-tool, but when i try to use from an AP with the same user that works with the eapool i got foloowing message: (17) State = 0xc49a7b91c0156ec00a1a15f1faab1856 (17) Message-Authenticator = 0xfcd8e560453c0793ff01f894937ed387 (17) session-state: No cached attributes (17) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default-khs (17) authorize { (17) policy filter_username { (17) if (&User-Name) { (17) if (&User-Name) -> TRUE (17) if (&User-Name) { (17) if (&User-Name =~ / /) { (17) if (&User-Name =~ / /) -> FALSE (17) if (&User-Name =~ /@[^@]*@/ ) { (17) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (17) if (&User-Name =~ /\.\./ ) { (17) if (&User-Name =~ /\.\./ ) -> FALSE (17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (17) if (&User-Name =~ /\.$/) { (17) if (&User-Name =~ /\.$/) -> FALSE (17) if (&User-Name =~ /@\./) { (17) if (&User-Name =~ /@\./) -> FALSE (17) } # if (&User-Name) = notfound (17) } # policy filter_username = notfound (17) suffix: Checking for suffix after "@" (17) suffix: Looking up realm "karlshochschule.de" for User-Name = "testuser@karlshochschule.de" (17) suffix: Found realm "karlshochschule.de" (17) suffix: Adding Stripped-User-Name = "testuser" (17) suffix: Adding Realm = "karlshochschule.de" (17) suffix: Authentication realm is LOCAL (17) [suffix] = ok (17) if (!&Realm) { (17) if (!&Realm) -> FALSE (17) eap: Peer sent EAP Response (code 2) ID 143 length 79 (17) eap: Continuing tunnel setup (17) [eap] = ok (17) } # authorize = ok (17) Found Auth-Type = eap (17) # Executing group from file /etc/freeradius/3.0/sites-enabled/default-khs (17) authenticate { (17) eap: Expiring EAP session with state 0xc49a7b91c0156ec0 (17) eap: Finished EAP session with state 0xc49a7b91c0156ec0 (17) eap: Previous EAP request found for state 0xc49a7b91c0156ec0, released from the list (17) eap: Peer sent packet with method EAP TTLS (21) (17) eap: Calling submodule eap_ttls to process data (17) eap_ttls: Authenticate (17) eap_ttls: Continuing EAP-TLS (17) eap_ttls: Peer indicated complete TLS record size will be 69 bytes (17) eap_ttls: Got complete TLS record (69 bytes) (17) eap_ttls: [eaptls verify] = length included (17) eap_ttls: [eaptls process] = ok (17) eap_ttls: Session established. Proceeding to decode tunneled attributes (17) eap_ttls: Got tunneled request (17) eap_ttls: EAP-Message = 0x02000020017465737475736572406b61726c73686f6368736368756c652e6465 (17) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1 (17) eap_ttls: Got tunneled identity of testuser@karlshochschule.de (17) eap_ttls: Setting default EAP type for tunneled EAP session (17) eap_ttls: Sending tunneled request (17) Virtual server inner-tunnel received request (17) EAP-Message = 0x02000020017465737475736572406b61726c73686f6368736368756c652e6465 (17) FreeRADIUS-Proxied-To = 127.0.0.1 (17) User-Name = "testuser@karlshochschule.de" (17) WARNING: Outer and inner identities are the same. User privacy is compromised. (17) server inner-tunnel { (17) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-khs (17) authorize { (17) policy filter_username { (17) if (&User-Name) { (17) if (&User-Name) -> TRUE (17) if (&User-Name) { (17) if (&User-Name =~ / /) { (17) if (&User-Name =~ / /) -> FALSE (17) if (&User-Name =~ /@[^@]*@/ ) { (17) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (17) if (&User-Name =~ /\.\./ ) { (17) if (&User-Name =~ /\.\./ ) -> FALSE (17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (17) if (&User-Name =~ /\.$/) { (17) if (&User-Name =~ /\.$/) -> FALSE (17) if (&User-Name =~ /@\./) { (17) if (&User-Name =~ /@\./) -> FALSE (17) } # if (&User-Name) = notfound (17) } # policy filter_username = notfound (17) suffix: Checking for suffix after "@" (17) suffix: Looking up realm "karlshochschule.de" for User-Name = "testuser@karlshochschule.de" (17) suffix: Found realm "karlshochschule.de" (17) suffix: Adding Stripped-User-Name = "testuser" (17) suffix: Adding Realm = "karlshochschule.de" (17) suffix: Authentication realm is LOCAL (17) [suffix] = ok (17) update control { (17) &Proxy-To-Realm := LOCAL (17) } # update control = noop rlm_ldap (ldap): Closing connection (3): Hit idle_timeout, was idle for 227 seconds rlm_ldap (ldap): You probably need to lower "min" ldap_free_connection 1 1 ldap_send_unbind ldap_free_connection: actually freed rlm_ldap (ldap): Closing connection (4): Hit idle_timeout, was idle for 227 seconds rlm_ldap (ldap): You probably need to lower "min" ldap_free_connection 1 1 ldap_send_unbind ldap_free_connection: actually freed rlm_ldap (ldap): Closing connection (0): Hit idle_timeout, was idle for 224 seconds rlm_ldap (ldap): You probably need to lower "min" ldap_free_connection 1 1 ldap_send_unbind ldap_free_connection: actually freed rlm_ldap (ldap): Closing connection (1): Hit idle_timeout, was idle for 170 seconds rlm_ldap (ldap): You probably need to lower "min" ldap_free_connection 1 1 ldap_send_unbind ldap_free_connection: actually freed rlm_ldap (ldap): Closing connection (2): Hit idle_timeout, was idle for 170 seconds rlm_ldap (ldap): You probably need to lower "min" ldap_free_connection 1 1 ldap_send_unbind ldap_free_connection: actually freed rlm_ldap (ldap): 0 of 0 connections in use. You may need to increase "spare" rlm_ldap (ldap): Opening additional connection (5), 1 of 10 pending slots used rlm_ldap (ldap): Connecting to ldaps://ldap.karlshochschule.de:636 ldap_create ldap_url_parse_ext(ldaps://ldap.karlshochschule.de:636) TLS: warning: cacertdir not implemented for gnutls ldap_bind ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ldap.karlshochschule.de:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 20.79.97.218:636 ldap_pvt_connect: fd: 3 tm: 10 async: 0 ldap_ndelay_on: 3 attempting to connect: connect errno: 115 ldap_int_poll: fd: 3 tm: 10 ldap_is_sock_ready: 3 ldap_ndelay_off: 3 ldap_pvt_connect: 0 ldap_open_defconn: successful ldap_send_server_request rlm_ldap (ldap): Waiting for bind result... ldap_result ld 0x555727575600 msgid 1 wait4msg ld 0x555727575600 msgid 1 (timeout 20000000 usec) wait4msg continue ld 0x555727575600 msgid 1 all 1 ** ld 0x555727575600 Connections: * host: ldap.karlshochschule.de port: 636 (default) refcnt: 2 status: Connected last used: Mon Oct 2 10:48:04 2023 ** ld 0x555727575600 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ld 0x555727575600 request count 1 (abandoned 0) ** ld 0x555727575600 Response Queue: Empty ld 0x555727575600 response count 0 ldap_chkResponseList ld 0x555727575600 msgid 1 all 1 ldap_chkResponseList returns ld 0x555727575600 NULL ldap_int_select read1msg: ld 0x555727575600 msgid 1 all 1 read1msg: ld 0x555727575600 msgid 1 message type bind read1msg: ld 0x555727575600 0 new referrals read1msg: mark request completed, ld 0x555727575600 msgid 1 request done: ld 0x555727575600 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_parse_result ldap_msgfree rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Reserved connection (5) (17) ldap: EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}}) (17) ldap: --> (cn=testuser) (17) ldap: Performing search in "OU=AADDC Users,dc=karlshochschule,dc=de" with filter "(cn=testuser)", scope "sub" ldap_search_ext put_filter: "(cn=testuser)" put_filter: simple put_simple_filter: "cn=testuser" ldap_build_search_req ATTRS: userPassword ntPassword ldap_send_initial_request ldap_send_server_request (17) ldap: Waiting for search result... ldap_result ld 0x555727575600 msgid 2 wait4msg ld 0x555727575600 msgid 2 (timeout 20000000 usec) wait4msg continue ld 0x555727575600 msgid 2 all 1 ** ld 0x555727575600 Connections: * host: ldap.karlshochschule.de port: 636 (default) refcnt: 2 status: Connected last used: Mon Oct 2 10:48:04 2023 ** ld 0x555727575600 Outstanding Requests: * msgid 2, origid 2, status InProgress outstanding referrals 0, parent count 0 ld 0x555727575600 request count 1 (abandoned 0) ** ld 0x555727575600 Response Queue: Empty ld 0x555727575600 response count 0 ldap_chkResponseList ld 0x555727575600 msgid 2 all 1 ldap_chkResponseList returns ld 0x555727575600 NULL ldap_int_select read1msg: ld 0x555727575600 msgid 2 all 1 read1msg: ld 0x555727575600 msgid 2 message type search-entry read1msg: ld 0x555727575600 msgid 2 message type search-result read1msg: ld 0x555727575600 0 new referrals read1msg: mark request completed, ld 0x555727575600 msgid 2 request done: ld 0x555727575600 msgid 2 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 2, msgid 2) adding response ld 0x555727575600 msgid 2 type 101: ldap_parse_result ldap_get_dn (17) ldap: User object found at DN "CN=testuser,OU=AADDC Users,DC=karlshochschule,DC=de" (17) ldap: Processing user attributes ldap_get_values_len ldap_get_values_len (17) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute (17) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure) ldap_msgfree rlm_ldap (ldap): Released connection (5) Need 4 more connections to reach min connections (5) rlm_ldap (ldap): Opening additional connection (6), 1 of 9 pending slots used rlm_ldap (ldap): Connecting to ldaps://ldap.karlshochschule.de:636 ldap_create ldap_url_parse_ext(ldaps://ldap.karlshochschule.de:636) TLS: warning: cacertdir not implemented for gnutls ldap_bind ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ldap.karlshochschule.de:636 ldap_new_socket: 4 ldap_prepare_socket: 4 ldap_connect_to_host: Trying 20.79.97.218:636 ldap_pvt_connect: fd: 4 tm: 10 async: 0 ldap_ndelay_on: 4 attempting to connect: connect errno: 115 ldap_int_poll: fd: 4 tm: 10 ldap_is_sock_ready: 4 ldap_ndelay_off: 4 ldap_pvt_connect: 0 ldap_open_defconn: successful ldap_send_server_request rlm_ldap (ldap): Waiting for bind result... ldap_result ld 0x5557273b7d10 msgid 1 wait4msg ld 0x5557273b7d10 msgid 1 (timeout 20000000 usec) wait4msg continue ld 0x5557273b7d10 msgid 1 all 1 ** ld 0x5557273b7d10 Connections: * host: ldap.karlshochschule.de port: 636 (default) refcnt: 2 status: Connected last used: Mon Oct 2 10:48:04 2023 ** ld 0x5557273b7d10 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ld 0x5557273b7d10 request count 1 (abandoned 0) ** ld 0x5557273b7d10 Response Queue: Empty ld 0x5557273b7d10 response count 0 ldap_chkResponseList ld 0x5557273b7d10 msgid 1 all 1 ldap_chkResponseList returns ld 0x5557273b7d10 NULL ldap_int_select read1msg: ld 0x5557273b7d10 msgid 1 all 1 read1msg: ld 0x5557273b7d10 msgid 1 message type bind read1msg: ld 0x5557273b7d10 0 new referrals read1msg: mark request completed, ld 0x5557273b7d10 msgid 1 request done: ld 0x5557273b7d10 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_parse_result ldap_msgfree rlm_ldap (ldap): Bind successful (17) [ldap] = ok (17) if ((ok || updated) && User-Password && !control:Auth-Type) { (17) if ((ok || updated) && User-Password && !control:Auth-Type) -> FALSE (17) } # authorize = ok (17) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (17) Failed to authenticate the user (17) Using Post-Auth-Type Reject (17) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-khs (17) Post-Auth-Type REJECT { (17) inner_tunnel_linelog: EXPAND messages.%{%{reply:Packet-Type}:-default} (17) inner_tunnel_linelog: --> messages.Access-Reject (17) inner_tunnel_linelog: EXPAND Login incorrect: [%{User-Name}] (%{request:Module-Failure-Message}) (cli %{outer.request:Calling-Station-Id} via TLS tunnel) (17) inner_tunnel_linelog: --> Login incorrect: [testuser@karlshochschule.de] (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject) (cli 90-9C-4A-B9-FD-41 via TLS tunnel) (17) [inner_tunnel_linelog] = ok (17) attr_filter.access_reject: EXPAND %{User-Name} (17) attr_filter.access_reject: --> testuser@karlshochschule.de (17) attr_filter.access_reject: Matched entry DEFAULT at line 11 (17) [attr_filter.access_reject] = updated (17) update outer.session-state { (17) &Module-Failure-Message := &request:Module-Failure-Message -> 'No Auth-Type found: rejecting the user via Post-Auth-Type = Reject' (17) } # update outer.session-state = noop (17) } # Post-Auth-Type REJECT = updated (17) EXPAND badpass (17) --> badpass (17) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [testuser/<no User-Password attribute>] (from client 10.09.9.240 port 0 via TLS tunnel) badpass (17) } # server inner-tunnel (17) Virtual server sending reply (17) eap_ttls: Got tunneled Access-Reject (17) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module failed (17) eap: Sending EAP Failure (code 4) ID 143 length 4 (17) eap: Failed in EAP select (17) [eap] = invalid (17) } # authenticate = invalid (17) Failed to authenticate the user (17) Using Post-Auth-Type Reject (17) # Executing group from file /etc/freeradius/3.0/sites-enabled/default-khs *********************************************************************** ldap { server = 'ldaps://ldap.karlshochschule.de' port = 636 identity = 'CN=Bind User,OU=AADDC Users,dc=karlshochschule,dc=de' password = password base_dn = 'OU=AADDC Users,dc=karlshochschule,dc=de' user { preprocess suffix base_dn = "${..base_dn}" filter = "(cn=%{%{Stripped-User-Name}:-%{User-Name}})" } update { control:Password-With-Header += 'userPassword' control:NT-Password := 'ntPassword' } post-auth { update { description := "Authenticated at %S" } } options { ldap_debug = 0xFFFF } tls { ca_file = /etc/ssl/certs/ca-certificates.crt ca_path = /etc/ssl/certs/ certificate_file = /etc/ssl/private/rad-ka-swlan.karlshochschule.de.crt private_key_file = /etc/ssl/private/rad-ka-swlan.karlshochschule.de.key } } ************************************************************************ eap { default_eap_type = ttls max_sessions = ${max_requests} tls-config tls-common { #certificate_file = ${certdir}/name-of-certificate-file.pem #private_key_file = ${certdir}/name-of-private-key-file.key #dh_file = ${certdir}/dh certificate_file = /etc/ssl/private/rad-ka-swlan.karlshochschule.de.crt private_key_file = /etc/ssl/private/rad-ka-swlan.karlshochschule.de.key ca_file = /etc/ssl/certs/ca-certificates.crt cipher_list = "DEFAULT !kRSA !PSK !SRP !SSLv3" ecdh_curve = "" } ttls { tls = tls-common virtual_server = inner-tunnel } peap { tls = tls-common virtual_server = inner-tunnel } } *********************************************************************** server inner-tunnel { authorize { filter_username suffix update control { &Proxy-To-Realm := LOCAL } ldap if ((ok || updated) && User-Password && !control:Auth-Type) { update { control:Auth-Type := ldap } } } authenticate { Auth-Type MS-CHAP { mschap } Auth-Type LDAP { ldap } } post-auth { inner_tunnel_linelog Post-Auth-Type REJECT { inner_tunnel_linelog attr_filter.access_reject update outer.session-state { &Module-Failure-Message := &request:Module-Failure-Message } ********************************************************************************************************** server default { listen { type = auth ipv4addr = * port = 0 } authorize { filter_username suffix if (!&Realm) { reject } eap { ok = return } } authenticate { eap } post-auth { if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { update reply { &User-Name !* ANY } } update { &reply: += &session-state: } outer_linelog remove_reply_message_if_eap Post-Auth-Type REJECT { outer_linelog attr_filter.access_reject eap remove_reply_message_if_eap } } pre-proxy { } post-proxy { eap } } *******************************************************************************************************************************