Hi Alan Thank you for your reply. I have made the change you suggested and (in my novice view) there now appears to be more progress than before. I completely appreciate that it's an old build, but it was included with an older version of macOS Server and I'm trying to get things working before I attempt to update anything. It relies on an Apple module 'opendirectory', which is responsible for querying the directory service running on the Mac server, and so I don't want to change anything yet until I can get things going. I certainly take your point on board though and will look to update to 2.2.10 as soon as possible. Here is the latest debug output after making the change you suggested. If I am interpreting this correctly, the 'radiustest@example.co.uk' username is being stripped and passed to the directory server during request 0: [opendirectory] User radiustest exists in OD [opendirectory] User radiustest is a member of the RADUIS SACL but by the time it gets to request 6 it is using the full username rather than the portion before the @: [mschap] Creating challenge hash with username: radiustest@example.co.uk [mschap] Client is using MS-CHAPv2 for radiustest@example.co.uk, we need NT-Password [mschap] Using OpenDirectory to authenticate [mschap] Unable to find record radiustest@example.co.uk in OD [mschap] Authentication failed for radiustest@example.co.uk ++[mschap] = fail At this point the directory server is seeing a request for radiustest@example.co.uk and rejecting it because of course the username in that format does not exist. Do I need to change anything so that the mschap module is creating the challenge hash with 'radiustest' rather than 'radiustest@example.co.uk', or am I barking up the wrong tree? rad_recv: Access-Request packet from host 192.168.236.45 port 1814, id=139, length=238 User-Name = "radiustest@example.co.uk" NAS-IP-Address = 192.168.236.28 NAS-Port = 0 NAS-Identifier = "192.168.236.26" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "109ADDC49B75" Called-Station-Id = "001A1E04AB58" Service-Type = Framed-User Framed-MTU = 1100 EAP-Message = 0x02010022017261646975737465737440676f73682e63616d64656e2e7363682e756b Aruba-Essid-Name = "school" Aruba-Location-Id = "ICT-TEST" Aruba-AP-Group = "test" Aruba-Device-Type = "Apple" Message-Authenticator = 0x2577b12b1827b2d1f2a6a2b4f41b74c5 Proxy-State = 0x3635 # Executing section authorize from file /Library/Server/radius/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "example.co.uk" for User-Name = "radiustest@example.co.uk" [suffix] Found realm "example.co.uk" [suffix] Adding Stripped-User-Name = "radiustest" [suffix] Adding Realm = "example.co.uk" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 1 length 34 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop [opendirectory] The host 192.168.236.45 does not have an access group. [opendirectory] User radiustest exists in OD [opendirectory] User radiustest is a member of the RADUIS SACL ++[opendirectory] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /Library/Server/radius/raddb/sites-enabled/default +group authenticate { [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 139 to 192.168.236.45 port 1814 EAP-Message = 0x010200061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa2d10e0fa2d31bd8fb902e08f9c31ec3 Proxy-State = 0x3635 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.236.45 port 1814, id=140, length=353 User-Name = "radiustest@example.co.uk" NAS-IP-Address = 192.168.236.28 NAS-Port = 0 NAS-Identifier = "192.168.236.26" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "109ADDC49B75" Called-Station-Id = "001A1E04AB58" Service-Type = Framed-User Framed-MTU = 1100 EAP-Message = 0x0202008315800000007916030100740100007003015e1baa8d3cb0084332627d1fd466f39541f629dc3248b4d4771d23ad28bd3a1800002800ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f000ac007c011000500040100001f000a00080006001700180019000b0002010000050005010000000000120000 Aruba-Essid-Name = "school" Aruba-Location-Id = "ICT-TEST" Aruba-AP-Group = "test" Aruba-Device-Type = "Apple" Message-Authenticator = 0x9e28ec7582c40e3e92a115082a8f054a Proxy-State = 0x3636 State = 0xa2d10e0fa2d31bd8fb902e08f9c31ec3 # Executing section authorize from file /Library/Server/radius/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "example.co.uk" for User-Name = "radiustest@example.co.uk" [suffix] Found realm "example.co.uk" [suffix] Adding Stripped-User-Name = "radiustest" [suffix] Adding Realm = "example.co.uk" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 2 length 131 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /Library/Server/radius/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 121 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] (other): before/accept initialization [ttls] TLS_accept: before/accept initialization [ttls] <<< TLS 1.0 Handshake [length 0074], ClientHello [ttls] TLS_accept: SSLv3 read client hello A [ttls] >>> TLS 1.0 Handshake [length 0039], ServerHello [ttls] TLS_accept: SSLv3 write server hello A [ttls] >>> TLS 1.0 Handshake [length 0665], Certificate [ttls] TLS_accept: SSLv3 write certificate A [ttls] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange [ttls] TLS_accept: SSLv3 write key exchange A [ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [ttls] TLS_accept: SSLv3 write server done A [ttls] TLS_accept: SSLv3 flush data [ttls] TLS_accept: SSLv3 read client certificate A [ttls] TLS_accept: Need to read more data: SSLv3 read client key exchange A [ttls] TLS_accept: Need to read more data: SSLv3 read client key exchange A In SSL Handshake Phase In SSL Accept mode [ttls] eaptls_process returned 13 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 140 to 192.168.236.45 port 1814 EAP-Message = 0x0103040015c0000008011603010039020000350301b48378abbf7494e069a915f1a572a970e6394437deb9b6fcfba966858aa4697900c01400000dff01000100000b00040300010216030106650b00066100065e00032c3082032830820210a003020102020101300b06092a864886f70d01010b302e311f301d06035504030c16706574657270616e2e676f73682e696e7465726e616c310b3009060355040613024742301e170d3134303832373132313431355a170d3334303832323132313431355a302e311f301d06035504030c16706574657270616e2e676f73682e696e7465726e616c310b300906035504061302474230820122300d06092a EAP-Message = 0x864886f70d01010105000382010f003082010a0282010100a77252a7791bb62f2b8123027ad8cbc388283bee0e334f72e1ca133ebc9b22b84e05b44db7056bcbe8cb4030ff756f91ae48ac7455c6b062c1009301e68847860ab9d642c6ad5990ee7edc417d7dedc3507246ab2ff72afd4160bbe9e0389b20d830082cf91439c344537294b34d78a485df9a8234fe82371c1e16d64cfcce85307216d6517061719f78192f576dd747d805bfa099ed386cbc0ad934b27b311d293aa72af0b7890038ab339df22f70d032ace28ab07d14306232a6a38cfa685afe8bff98f3bddc97cf4389aa0b5f6fa21f7386b72fd14a0879663b618acae7eca2ad59d1d8 EAP-Message = 0x5d927df217427226e7085981260b2f3c7d11bed5808be9333240c10203010001a3533051300e0603551d0f0101ff04040302078030160603551d250101ff040c300a06082b0601050507030130270603551d110420301e8216706574657270616e2e676f73682e696e7465726e616c87040a285cfe300d06092a864886f70d01010b05000382010100407dcb7982c1ec5523ba0b0012255c1d9a11e749b64f2fc121c82529faa3a23fe0fdc53e13004e301fd589ed13f31ca5d63f7cbbce08e211774b6a7ed2b55eed07ab4814046390e8cb22cc47eddd4846c6a709379572875b93dc87a5fe6c54c9a04b6dff791669df38a076ddbd2e718d123fcec7 EAP-Message = 0xe5797635ce17913c9960ba6d82aa46e460bc0abe7384d06d5499d42939f2c72e706e8dbc9cac22dc315f5539af9662461f1f85a5dbd5a892f0ec10c3578ef8c1bf5d2d8150df94eb034146ec458654dd1740c1707f86bb4203a549b9d0d98ab19788238717c1140842ae944d4c2dc50ddf1d4adf6d61d932f892495a264a8b87629bb0a7d76f1b7187a2118200032c3082032830820210a003020102020101300b06092a864886f70d01010b302e311f301d06035504030c16706574657270616e2e676f73682e696e7465726e616c310b3009060355040613024742301e170d3134303832373132313431355a170d3334303832323132313431355a30 EAP-Message = 0x2e311f301d06035504030c16 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa2d10e0fa3d21bd8fb902e08f9c31ec3 Proxy-State = 0x3636 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.236.45 port 1814, id=141, length=228 User-Name = "radiustest@example.co.uk" NAS-IP-Address = 192.168.236.28 NAS-Port = 0 NAS-Identifier = "192.168.236.26" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "109ADDC49B75" Called-Station-Id = "001A1E04AB58" Service-Type = Framed-User Framed-MTU = 1100 EAP-Message = 0x020300061500 Aruba-Essid-Name = "school" Aruba-Location-Id = "ICT-TEST" Aruba-AP-Group = "test" Aruba-Device-Type = "Apple" Message-Authenticator = 0xe4c9628a13844ea439eb4d01e968ed8c Proxy-State = 0x3637 State = 0xa2d10e0fa3d21bd8fb902e08f9c31ec3 # Executing section authorize from file /Library/Server/radius/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "example.co.uk" for User-Name = "radiustest@example.co.uk" [suffix] Found realm "example.co.uk" [suffix] Adding Stripped-User-Name = "radiustest" [suffix] Adding Realm = "example.co.uk" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /Library/Server/radius/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 141 to 192.168.236.45 port 1814 EAP-Message = 0x0104040015c000000801706574657270616e2e676f73682e696e7465726e616c310b300906035504061302474230820122300d06092a864886f70d01010105000382010f003082010a0282010100a77252a7791bb62f2b8123027ad8cbc388283bee0e334f72e1ca133ebc9b22b84e05b44db7056bcbe8cb4030ff756f91ae48ac7455c6b062c1009301e68847860ab9d642c6ad5990ee7edc417d7dedc3507246ab2ff72afd4160bbe9e0389b20d830082cf91439c344537294b34d78a485df9a8234fe82371c1e16d64cfcce85307216d6517061719f78192f576dd747d805bfa099ed386cbc0ad934b27b311d293aa72af0b7890038ab339df22f70 EAP-Message = 0xd032ace28ab07d14306232a6a38cfa685afe8bff98f3bddc97cf4389aa0b5f6fa21f7386b72fd14a0879663b618acae7eca2ad59d1d85d927df217427226e7085981260b2f3c7d11bed5808be9333240c10203010001a3533051300e0603551d0f0101ff04040302078030160603551d250101ff040c300a06082b0601050507030130270603551d110420301e8216706574657270616e2e676f73682e696e7465726e616c87040a285cfe300d06092a864886f70d01010b05000382010100407dcb7982c1ec5523ba0b0012255c1d9a11e749b64f2fc121c82529faa3a23fe0fdc53e13004e301fd589ed13f31ca5d63f7cbbce08e211774b6a7ed2b5 EAP-Message = 0x5eed07ab4814046390e8cb22cc47eddd4846c6a709379572875b93dc87a5fe6c54c9a04b6dff791669df38a076ddbd2e718d123fcec7e5797635ce17913c9960ba6d82aa46e460bc0abe7384d06d5499d42939f2c72e706e8dbc9cac22dc315f5539af9662461f1f85a5dbd5a892f0ec10c3578ef8c1bf5d2d8150df94eb034146ec458654dd1740c1707f86bb4203a549b9d0d98ab19788238717c1140842ae944d4c2dc50ddf1d4adf6d61d932f892495a264a8b87629bb0a7d76f1b7187a21182160301014b0c00014703001741048d722a0b65270892e9bc75ac1f1878571255941d4b8abaed393150566d0825d54eaa1b976720593172fa05575d EAP-Message = 0x93e38a901481b6bf8c6b160cfa68e176d2b873010040ee1d51f30a3fbe39eb5378d2dc0922e18af5a76a55055036a18ecf84a8935a29f89c2b397a655bee4a613a6fdbc955890061dc2534b37a3d5d61a189f27dded1401addc29706f7abbdbb7e761d62a9a9a88411ac32061423a1660fb4db6fdf46ea2706778337476fe961a5cb0319284962c0d40397fc21e97cca94a6360540e51eb2137ebb4675c5cee9ef6473900a10d3a0a35e1dfab899237d996d40341df170cd8f10cc3b511eece77dea00ec3b779de982dec5d4cc664407ec59455e220d9a09438e870c413f4964eb05f043ac9acaa7937e8f7b448aed3123d2600bc471092aa7dafc2d32 EAP-Message = 0x6bc8be0bf5a6db8e5df2c928 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa2d10e0fa0d51bd8fb902e08f9c31ec3 Proxy-State = 0x3637 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.236.45 port 1814, id=142, length=228 User-Name = "radiustest@example.co.uk" NAS-IP-Address = 192.168.236.28 NAS-Port = 0 NAS-Identifier = "192.168.236.26" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "109ADDC49B75" Called-Station-Id = "001A1E04AB58" Service-Type = Framed-User Framed-MTU = 1100 EAP-Message = 0x020400061500 Aruba-Essid-Name = "school" Aruba-Location-Id = "ICT-TEST" Aruba-AP-Group = "test" Aruba-Device-Type = "Apple" Message-Authenticator = 0x5721d8a0eb68e0f1a13a0125c7c3a987 Proxy-State = 0x3639 State = 0xa2d10e0fa0d51bd8fb902e08f9c31ec3 # Executing section authorize from file /Library/Server/radius/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "example.co.uk" for User-Name = "radiustest@example.co.uk" [suffix] Found realm "example.co.uk" [suffix] Adding Stripped-User-Name = "radiustest" [suffix] Adding Realm = "example.co.uk" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /Library/Server/radius/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 142 to 192.168.236.45 port 1814 EAP-Message = 0x0105001f1580000008014456b73978ff61a3af0ca4ba16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa2d10e0fa1d41bd8fb902e08f9c31ec3 Proxy-State = 0x3639 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.236.45 port 1814, id=143, length=366 User-Name = "radiustest@example.co.uk" NAS-IP-Address = 192.168.236.28 NAS-Port = 0 NAS-Identifier = "192.168.236.26" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "109ADDC49B75" Called-Station-Id = "001A1E04AB58" Service-Type = Framed-User Framed-MTU = 1100 EAP-Message = 0x020500901580000000861603010046100000424104210a608054c8ddd857c4896c9107fbe88964d18caf4ad086cee42cda06ea5d685038f7ca5521bfa175227cca875345b6c9e0c6445a4e4f23d362eab64360d9e41403010001011603010030941a8535af0b548685d350fc4433c7ef5cad07647d29bd43f42191382861f4391c2f9198dfe9f4e8863ef7c875ce53a5 Aruba-Essid-Name = "school" Aruba-Location-Id = "ICT-TEST" Aruba-AP-Group = "test" Aruba-Device-Type = "Apple" Message-Authenticator = 0x3038ce0ef15655a7fe33028aaa671617 Proxy-State = 0x3730 State = 0xa2d10e0fa1d41bd8fb902e08f9c31ec3 # Executing section authorize from file /Library/Server/radius/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "example.co.uk" for User-Name = "radiustest@example.co.uk" [suffix] Found realm "example.co.uk" [suffix] Adding Stripped-User-Name = "radiustest" [suffix] Adding Realm = "example.co.uk" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 5 length 144 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /Library/Server/radius/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 134 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange [ttls] TLS_accept: SSLv3 read client key exchange A [ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001] [ttls] <<< TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 read finished A [ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001] [ttls] TLS_accept: SSLv3 write change cipher spec A [ttls] >>> TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 write finished A [ttls] TLS_accept: SSLv3 flush data [ttls] (other): SSL negotiation finished successfully SSL Connection Established [ttls] eaptls_process returned 13 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 143 to 192.168.236.45 port 1814 EAP-Message = 0x0106004515800000003b140301000101160301003002a2021500d744536bcfcf1b18ab41d9b3dbdeb95b34c6589d07ed092183aeb8f4ce37bcc6bd820084049674e9820ccb Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa2d10e0fa6d71bd8fb902e08f9c31ec3 Proxy-State = 0x3730 Finished request 4. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.168.236.45 port 1814, id=144, length=317 User-Name = "radiustest@example.co.uk" NAS-IP-Address = 192.168.236.28 NAS-Port = 0 NAS-Identifier = "192.168.236.26" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "109ADDC49B75" Called-Station-Id = "001A1E04AB58" Service-Type = Framed-User Framed-MTU = 1100 EAP-Message = 0x0206005f158000000055170301005005b067f60adac124a184ecc57e6ecc32a8221bbb603ee5924bb79b3ff765334f5cc0c61e0bdd250711ce7888313e6aa003d960b2b9f6843f1a3a94e5e21b7421540dd7f1d2336dc9cbe0bbf664ca1a08 Aruba-Essid-Name = "school" Aruba-Location-Id = "ICT-TEST" Aruba-AP-Group = "test" Aruba-Device-Type = "Apple" Message-Authenticator = 0x20dd42545594cfbe970274ddab52a1d6 Proxy-State = 0x3731 State = 0xa2d10e0fa6d71bd8fb902e08f9c31ec3 # Executing section authorize from file /Library/Server/radius/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "example.co.uk" for User-Name = "radiustest@example.co.uk" [suffix] Found realm "example.co.uk" [suffix] Adding Stripped-User-Name = "radiustest" [suffix] Adding Realm = "example.co.uk" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 6 length 95 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /Library/Server/radius/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 85 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Got tunneled request EAP-Message = 0x02000022017261646975737465737440676f73682e63616d64656e2e7363682e756b FreeRADIUS-Proxied-To = 127.0.0.1 [ttls] Got tunneled identity of radiustest@example.co.uk [ttls] Setting default EAP type for tunneled EAP session. [ttls] Sending tunneled request EAP-Message = 0x02000022017261646975737465737440676f73682e63616d64656e2e7363682e756b FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "radiustest@example.co.uk" server inner-tunnel { # Executing section authorize from file /Library/Server/radius/raddb/sites-enabled/inner-tunnel +group authorize { ++[chap] = noop ++[mschap] = noop [suffix] Looking up realm "example.co.uk" for User-Name = "radiustest@example.co.uk" [suffix] Found realm "example.co.uk" [suffix] Adding Stripped-User-Name = "radiustest" [suffix] Adding Realm = "example.co.uk" [suffix] Authentication realm is LOCAL. ++[suffix] = ok ++update control { ++} # update control = noop [eap] EAP packet type response id 0 length 34 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop ++[expiration] = noop ++[logintime] = noop ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /Library/Server/radius/raddb/sites-enabled/inner-tunnel +group authenticate { [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] = handled +} # group authenticate = handled } # server inner-tunnel [ttls] Got tunneled reply code Access-Challenge EAP-Message = 0x010100371a0101003210006815de0f512aa5e084a9c577c5aef27261646975737465737440676f73682e63616d64656e2e7363682e756b Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6d27f3ae6d26e9777944e6ecebb16dd4 [ttls] Got tunneled Access-Challenge ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 144 to 192.168.236.45 port 1814 EAP-Message = 0x0107009415800000008a17030100201e23f0c8900a7e96509629eb6ee466d25f4ad0e738cf60f9715db3766bd3435a1703010060712a160f13ed9d92772dee8895efb7918e93bd920ee8204bc2d5c89a30a08551f9e4a480fcc024f50ca4d16cb7dd0cf5594e88ffcfe0415d46c1d79c317675af2fcc8a32a1eb0e1686adf3c006ed894e174e4eefb10dd7d158fcf8a2c9bb736a Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa2d10e0fa7d61bd8fb902e08f9c31ec3 Proxy-State = 0x3731 Finished request 5. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.168.236.45 port 1814, id=145, length=365 User-Name = "radiustest@example.co.uk" NAS-IP-Address = 192.168.236.28 NAS-Port = 0 NAS-Identifier = "192.168.236.26" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "109ADDC49B75" Called-Station-Id = "001A1E04AB58" Service-Type = Framed-User Framed-MTU = 1100 EAP-Message = 0x0207008f1580000000851703010080271f7fdade241a0c58e453a885367d4a60ed1ff1569ac5ae6157a339509575b444fb0cd29369a63bc9b2c148cb3e9a8b8806c557ac9be0955c149262709898b4eff18819206df5f98590494f9c4ad8824d6d586540d365f00ab52f6c82604a4f8e4188ca3733a3fbfe70121824006bdd47a2fed015d775560c16e6c8e39de6a2 Aruba-Essid-Name = "school" Aruba-Location-Id = "ICT-TEST" Aruba-AP-Group = "test" Aruba-Device-Type = "Apple" Message-Authenticator = 0xb5e0114d038530bdd5213c43186c635c Proxy-State = 0x3732 State = 0xa2d10e0fa7d61bd8fb902e08f9c31ec3 # Executing section authorize from file /Library/Server/radius/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "example.co.uk" for User-Name = "radiustest@example.co.uk" [suffix] Found realm "example.co.uk" [suffix] Adding Stripped-User-Name = "radiustest" [suffix] Adding Realm = "example.co.uk" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 7 length 143 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /Library/Server/radius/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 133 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Got tunneled request EAP-Message = 0x020100581a0201005331a8ee034419131e7f9fddd19a5a0ba426000000000000000077e94ca004cea6e84942642ad7a244ac8bba9b32193bbfd1007261646975737465737440676f73682e63616d64656e2e7363682e756b FreeRADIUS-Proxied-To = 127.0.0.1 [ttls] Sending tunneled request EAP-Message = 0x020100581a0201005331a8ee034419131e7f9fddd19a5a0ba426000000000000000077e94ca004cea6e84942642ad7a244ac8bba9b32193bbfd1007261646975737465737440676f73682e63616d64656e2e7363682e756b FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "radiustest@example.co.uk" State = 0x6d27f3ae6d26e9777944e6ecebb16dd4 server inner-tunnel { # Executing section authorize from file /Library/Server/radius/raddb/sites-enabled/inner-tunnel +group authorize { ++[chap] = noop ++[mschap] = noop [suffix] Looking up realm "example.co.uk" for User-Name = "radiustest@example.co.uk" [suffix] Found realm "example.co.uk" [suffix] Adding Stripped-User-Name = "radiustest" [suffix] Adding Realm = "example.co.uk" [suffix] Authentication realm is LOCAL. ++[suffix] = ok ++update control { ++} # update control = noop [eap] EAP packet type response id 1 length 88 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop ++[expiration] = noop ++[logintime] = noop ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /Library/Server/radius/raddb/sites-enabled/inner-tunnel +group authenticate { [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /Library/Server/radius/raddb/sites-enabled/inner-tunnel [mschapv2] +group MS-CHAP { [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: radiustest@example.co.uk [mschap] Client is using MS-CHAPv2 for radiustest@example.co.uk, we need NT-Password [mschap] Using OpenDirectory to authenticate [mschap] Unable to find record radiustest@example.co.uk in OD [mschap] Authentication failed for radiustest@example.co.uk ++[mschap] = fail +} # group MS-CHAP = fail [eap] Freeing handler ++[eap] = reject +} # group authenticate = reject Failed to authenticate the user. Login incorrect: [radiustest@example.co.uk/<via Auth-Type = EAP>] (from client clearpass port 0 via TLS tunnel) Using Post-Auth-Type Reject # Executing group from file /Library/Server/radius/raddb/sites-enabled/inner-tunnel +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> radiustest@example.co.uk attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated } # server inner-tunnel [ttls] Got tunneled reply code Access-Reject MS-CHAP-Error = "\001E=691 R=1" EAP-Message = 0x04010004 Message-Authenticator = 0x00000000000000000000000000000000 [ttls] Got tunneled Access-Reject [eap] Handler failed in EAP/ttls rlm_eap_ttls: Freeing handler for user radiustest@example.co.uk [eap] Failed in EAP select ++[eap] = invalid +} # group authenticate = invalid Failed to authenticate the user. Login incorrect: [radiustest@example.co.uk/<via Auth-Type = EAP>] (from client clearpass port 0 cli 109ADDC49B75) Using Post-Auth-Type Reject # Executing group from file /Library/Server/radius/raddb/sites-enabled/default +group REJECT { ++? if ("%{EAP-Message}") expand: %{EAP-Message} -> 0x0207008f1580000000851703010080271f7fdade241a0c58e453a885367d4a60ed1ff1569ac5ae6157a339509575b444fb0cd29369a63bc9b2c148cb3e9a8b8806c557ac9be0955c149262709898b4eff18819206df5f98590494f9c4ad8824d6d586540d365f00ab52f6c82604a4f8e4188ca3733a3fbfe70121824006bdd47a2fed015d775560c16e6c8e39de6a2 ? Evaluating ("%{EAP-Message}") -> TRUE ++? if ("%{EAP-Message}") -> TRUE ++if ("%{EAP-Message}") { +++update reply { expand: %{Message-Authenticator} -> 0xb5e0114d038530bdd5213c43186c635c +++} # update reply = noop ++} # if ("%{EAP-Message}") = noop [attr_filter.access_reject] expand: %{User-Name} -> radiustest@example.co.uk attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 6 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 6 Sending Access-Reject of id 145 to 192.168.236.45 port 1814 EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x3732 Waking up in 3.8 seconds. Thank you Stuart -- Crossover Solutions Ltd Pound House, 62A Highgate High Street, London, N6 5HX www.crossover.solutions <http://crossover.solutions> • 020 3637 4655 Registered in England and Wales No: 9593204 Registered address as stated Members of the Apple Consultants Network <https://consultants.apple.com/uk/988258> Please submit new support requests to support@crossover.solutions <mailto:support@crossover.solutions>