Hello, everyone, Environment: freeradius 3.0.4, strongswan 5.2.0. Could someone give me advices or info why it happened? stages how eap-md5 should work in innner-tunnel? I saw http://wiki.freeradius.org/guide/EAPMD5-HOWTO but it's not enough in my scenario. ..... begin cut .... (5) # Executing group from file /etc/raddb/sites-enabled/default (5) authenticate { (5) eap : Expiring EAP session with state 0xea78d7a3ea79d3c6 (5) eap : Finished EAP session with state 0x9da50fdc99a01a4f (5) eap : Previous EAP request found for state 0x9da50fdc99a01a4f, released from the list (5) eap : Peer sent method TTLS (21) (5) eap : EAP TTLS (21) (5) eap : Calling eap_ttls to process EAP data (5) eap_ttls : Authenticate (5) eap_ttls : processing EAP-TLS TLS Length 69 (5) eap_ttls : Length Included (5) eap_ttls : eaptls_verify returned 11 (5) eap_ttls : eaptls_process returned 7 (5) eap_ttls : Session established. Proceeding to decode tunneled attributes (5) eap_ttls : Got tunneled request EAP-Message = 0x020100160410521e6638c06be72697c7697d1a2289b9 (5) eap_ttls : Sending tunneled request (5) server inner-tunnel { (5) Request: EAP-Message = 0x020100160410521e6638c06be72697c7697d1a2289b9 User-Name = 'stu@sumix.com' State = 0xea78d7a3ea79d3c6e940fe67ef2f7464 (5) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (5) authorize { (5) [preprocess] = ok (5) [files] = noop (5) eap : Peer sent code Response (2) ID 1 length 22 (5) eap : No EAP Start, assuming it's an on-going EAP conversation (5) [eap] = updated (5) } # authorize = updated (5) Found Auth-Type = EAP (5) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (5) authenticate { (5) eap : Expiring EAP session with state 0xea78d7a3ea79d3c6 (5) eap : Finished EAP session with state 0xea78d7a3ea79d3c6 (5) eap : Previous EAP request found for state 0xea78d7a3ea79d3c6, released from the list (5) eap : Peer sent method MD5 (4) (5) eap : EAP MD5 (4) (5) eap : Calling eap_md5 to process EAP data (5) eap_md5 : Cleartext-Password is required for EAP-MD5 authentication (5) ERROR: eap : Failed continuing EAP MD5 (4) session. EAP sub-module failed (5) eap : Failed in EAP select (5) [eap] = invalid (5) } # authenticate = invalid (5) Failed to authenticate the user (5) Login incorrect (eap: Failed continuing EAP MD5 (4) session. EAP sub-module failed): [stu@sumix.com/<via Auth-Type = EAP>] (from client aae-vm port 0 via TLS tunnel) (5) Using Post-Auth-Type Reject (5) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (5) Post-Auth-Type REJECT { (5) attr_filter.access_reject : EXPAND %{User-Name} (5) attr_filter.access_reject : --> stu@sumix.com (5) attr_filter.access_reject : Matched entry DEFAULT at line 11 (5) [attr_filter.access_reject] = updated (5) } # Post-Auth-Type REJECT = updated (5) Reply: EAP-Message = 0x04010004 Message-Authenticator = 0x00000000000000000000000000000000 (5) } # server inner-tunnel (5) eap_ttls : Got tunneled Access-Reject SSL: Removing session adf6f0ff78ebe6faaa6f3949f499535dc8a21dfc72a066a288b3e0e0bfbc9339 from the cache (5) ERROR: eap : Failed continuing EAP TTLS (21) session. EAP sub-module failed (5) eap : Failed in EAP select (5) [eap] = invalid (5) } # authenticate = invalid (5) Failed to authenticate the user (5) Login incorrect (eap: Failed continuing EAP TTLS (21) session. EAP sub-module failed): [stu@sumix.com/<via Auth-Type = EAP>] (from client aae-vm port 68 cli 10.20.9.8[4500]) (5) Using Post-Auth-Type Reject (5) # Executing group from file /etc/raddb/sites-enabled/default (5) Post-Auth-Type REJECT { (5) attr_filter.access_reject : EXPAND %{User-Name} (5) attr_filter.access_reject : --> stu@sumix.com (5) attr_filter.access_reject : Matched entry DEFAULT at line 11 (5) [attr_filter.access_reject] = updated (5) eap : Reply already contained an EAP-Message, not inserting EAP-Failure (5) [eap] = noop (5) remove_reply_message_if_eap remove_reply_message_if_eap { (5) if (&reply:EAP-Message && &reply:Reply-Message) (5) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (5) else else { (5) [noop] = noop (5) } # else else = noop (5) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (5) } # Post-Auth-Type REJECT = updated (5) Delaying response for 1 seconds ..... users file stu Cleartext-Password := "x3DdEhgN" stu@sumix.com Cleartext-Password := "x3DdEhgN" big thanks for your help and advices. Oleksandr