Hi, I'am trying to make FR 2.1.10 on Squeeze work with my LDAP installation. What I want to do is: A host-based authentification for my workstations. All the names of the workstations are in LDAP, the authentification itself should be done with EAP-TLS. I would like to have a hint, how to start EAP when the LDAP-Query was successfull. The LDAP-Query works I think, FR says: [ldap] user scit-beerchen authorized to use remote access, but then it tries to make some kind of password authentification (I have no password for workstations in LDAP), and is not starting EAP-TLS. The asking host "scit-beerchen" is in the WLAN-User Group. What could I do? Please have a look on my Debug-Output: rad_recv: Access-Request packet from host 10.48.244.28 port 3079, id=0, length=139 User-Name = "scit-beerchen" NAS-IP-Address = 10.48.244.28 Called-Station-Id = "0016b64f44cc" Calling-Station-Id = "002268c63ff2" NAS-Identifier = "0016b64f44cc" NAS-Port = 11 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0200001201736369742d626565726368656e Message-Authenticator = 0x12969f7ffa42f57be53a54474c1274be # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "scit-beerchen", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] No '\' in User-Name = "scit-beerchen", looking up realm NULL [ntdomain] No such realm "NULL" ++[ntdomain] returns noop [eap] EAP packet type response id 0 length 18 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for scit-beerchen [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> scit-beerchen [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=scit-beerchen) [ldap] expand: dc=verwaltung,dc=kh-berlin,dc=de -> dc=verwaltung,dc=kh-berlin,dc=de [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to physalis:389, authentication 0 [ldap] bind as / to physalis:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in dc=verwaltung,dc=kh-berlin,dc=de, with filter (uid=scit-beerchen) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user scit-beerchen authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++? if (notfound) ? Evaluating (notfound) -> FALSE ++? if (notfound) -> FALSE ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=scit-beerchen [ntlm_auth] expand: --password=%{User-Password} -> --password= Exec-Program output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) Exec-Program-Wait: plaintext: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) Exec-Program: returned: 1 ++[ntlm_auth] returns reject Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> scit-beerchen attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.8 seconds. rad_recv: Access-Request packet from host 10.48.244.28 port 3079, id=0, length=139 Cleaning up request 0 ID 0 with timestamp +1034 User-Name = "scit-beerchen" NAS-IP-Address = 10.48.244.28 Called-Station-Id = "0016b64f44cc" Calling-Station-Id = "002268c63ff2" NAS-Identifier = "0016b64f44cc" NAS-Port = 11 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0200001201736369742d626565726368656e Message-Authenticator = 0x11c70e19e2f1150428f5cc12d535e57b # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "scit-beerchen", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] No '\' in User-Name = "scit-beerchen", looking up realm NULL [ntdomain] No such realm "NULL" ++[ntdomain] returns noop [eap] EAP packet type response id 0 length 18 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for scit-beerchen [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> scit-beerchen [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=scit-beerchen) [ldap] expand: dc=verwaltung,dc=kh-berlin,dc=de -> dc=verwaltung,dc=kh-berlin,dc=de [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=verwaltung,dc=kh-berlin,dc=de, with filter (uid=scit-beerchen) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user scit-beerchen authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++? if (notfound) ? Evaluating (notfound) -> FALSE ++? if (notfound) -> FALSE ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=scit-beerchen [ntlm_auth] expand: --password=%{User-Password} -> --password= Exec-Program output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) Exec-Program-Wait: plaintext: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) Exec-Program: returned: 1 ++[ntlm_auth] returns reject Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> scit-beerchen attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 10.48.244.28 port 3079, id=0, length=139 Cleaning up request 1 ID 0 with timestamp +1034 User-Name = "scit-beerchen" NAS-IP-Address = 10.48.244.28 Called-Station-Id = "0016b64f44cc" Calling-Station-Id = "002268c63ff2" NAS-Identifier = "0016b64f44cc" NAS-Port = 11 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0200001201736369742d626565726368656e Message-Authenticator = 0x781aba777bfd1eee9fb99135f368597f # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "scit-beerchen", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] No '\' in User-Name = "scit-beerchen", looking up realm NULL [ntdomain] No such realm "NULL" ++[ntdomain] returns noop [eap] EAP packet type response id 0 length 18 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for scit-beerchen [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> scit-beerchen [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=scit-beerchen) [ldap] expand: dc=verwaltung,dc=kh-berlin,dc=de -> dc=verwaltung,dc=kh-berlin,dc=de [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=verwaltung,dc=kh-berlin,dc=de, with filter (uid=scit-beerchen) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user scit-beerchen authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++? if (notfound) ? Evaluating (notfound) -> FALSE ++? if (notfound) -> FALSE ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=scit-beerchen [ntlm_auth] expand: --password=%{User-Password} -> --password= Exec-Program output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) Exec-Program-Wait: plaintext: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) Exec-Program: returned: 1 ++[ntlm_auth] returns reject Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> scit-beerchen attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 2 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 2 Sending Access-Reject of id 0 to 10.48.244.28 port 3079 Waking up in 4.9 seconds. Cleaning up request 2 ID 0 with timestamp +1034 Ready to process requests. This is my "default" site: authorize { preprocess chap mschap digest suffix ntdomain eap { ok = return } files ldap if (notfound) { reject } expiration logintime pap ntlm_auth } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } digest unix eap Auth-Type LDAP { ldap if (LDAP-Group == "WLAN-User") { noop } else { reject } } ntlm_auth } preacct { preprocess acct_unique suffix files } accounting { detail unix radutmp exec attr_filter.accounting_response } session { radutmp } post-auth { exec Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { eap } TIA Alex