Hey Hi, I have installed freeradius server and integrated freeipa server, when i run radtest its authenticate perfectly, i configured client.conf to auth my cisco firewall whenever i tried to login using freeipa user on my cisco firewall, radiusd -X debug mode say auth success but i am un able to login into terminal ((9) Sent Access-Accept Id 75 from x.x.x.x:1812 to x.x.x.x:22029 length 0 (9) Finished request). When i use freeipa admin user id i am able to login into cisco firewall to same freeradius server / same configuration. Debug Output: Ready to process requests (8) Received Access-Request Id 74 from 10.0.5.5:22029 to 10.0.0.94:1812 length 128 (8) User-Name = "mohiddin" (8) User-Password = "pass@123" (8) NAS-IP-Address = 10.0.5.5 (8) NAS-Port = 74 (8) NAS-Port-Type = Virtual (8) Cisco-AVPair = "ip:source-ip=10.0.2.49" (8) Calling-Station-Id = "10.0.2.49" (8) Cisco-AVPair = "coa-push=true" (8) # Executing section authorize from file /etc/raddb/sites-enabled/default (8) authorize { (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = notfound (8) } # policy filter_username = notfound (8) [preprocess] = ok (8) [chap] = noop (8) [mschap] = noop (8) [digest] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "mohiddin", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) eap: No EAP-Message, not doing EAP (8) [eap] = noop (8) [files] = noop rlm_ldap (ldap): Closing connection (9): Hit idle_timeout, was idle for 133 seconds rlm_ldap (ldap): Closing connection (11): Hit idle_timeout, was idle for 133 seconds rlm_ldap (ldap): Closing connection (8): Hit idle_timeout, was idle for 120 seconds rlm_ldap (ldap): Closing connection (12): Hit idle_timeout, was idle for 120 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): Closing connection (10): Hit idle_timeout, was idle for 113 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): Closing connection (13): Hit idle_timeout, was idle for 113 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): 0 of 0 connections in use. You may need to increase "spare" rlm_ldap (ldap): Opening additional connection (14), 1 of 32 pending slots used rlm_ldap (ldap): Connecting to ldap://ipa01.test.org:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Reserved connection (14) (8) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (8) ldap: --> (uid=mohiddin) (8) ldap: Performing search in "cn=users,cn=accounts,dc=test,dc=org" with filter "(uid=mohiddin)", scope "sub" (8) ldap: Waiting for search result... (8) ldap: User object found at DN "uid=mohiddin,cn=users,cn=accounts,dc=test,dc=org" (8) ldap: Processing user attributes (8) ldap: control:Password-With-Header += '{SSHA512}FBhJiiB8Uene3Nl6MkFBufEQNVBJsU9GrXy3wXtaaY0mUkjQ5CVAiWdWHHfEf5bZpYWYECf/mvwOojrM/L4dVJLuUJyt+N6Q' rlm_ldap (ldap): Released connection (14) Need 2 more connections to reach min connections (3) rlm_ldap (ldap): Opening additional connection (15), 1 of 31 pending slots used rlm_ldap (ldap): Connecting to ldap://ipa01.test.org:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (8) [ldap] = updated (8) [expiration] = noop (8) [logintime] = noop (8) pap: Converted: &control:Password-With-Header -> &control:SSHA2-512-Password (8) pap: Removing &control:Password-With-Header (8) pap: Normalizing SSHA2-512-Password from base64 encoding, 96 bytes -> 72 bytes (8) [pap] = updated (8) } # authorize = updated (8) Found Auth-Type = PAP (8) # Executing group from file /etc/raddb/sites-enabled/default (8) Auth-Type PAP { (8) pap: Login attempt with password (8) pap: Comparing with "known-good" SSHA2-512-Password (8) pap: User authenticated successfully (8) [pap] = ok (8) } # Auth-Type PAP = ok (8) # Executing section post-auth from file /etc/raddb/sites-enabled/default (8) post-auth { (8) update { (8) No attributes updated (8) } # update = noop (8) [exec] = noop (8) policy remove_reply_message_if_eap { (8) if (&reply:EAP-Message && &reply:Reply-Message) { (8) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (8) else { (8) [noop] = noop (8) } # else = noop (8) } # policy remove_reply_message_if_eap = noop (8) } # post-auth = noop (8) Sent Access-Accept Id 74 from 10.0.0.94:1812 to 10.0.5.5:22029 length 0 (8) Finished request Waking up in 4.9 seconds. (8) Cleaning up request packet ID 74 with timestamp +504 Ready to process requests (9) Received Access-Request Id 75 from 10.0.5.5:22029 to 10.0.0.94:1812 length 84 (9) User-Name = "admin" (9) User-Password = "reflexis1" (9) NAS-IP-Address = 10.0.5.5 (9) NAS-Port = 75 (9) NAS-Port-Type = Virtual (9) Cisco-AVPair = "coa-push=true" (9) # Executing section authorize from file /etc/raddb/sites-enabled/default (9) authorize { (9) policy filter_username { (9) if (&User-Name) { (9) if (&User-Name) -> TRUE (9) if (&User-Name) { (9) if (&User-Name =~ / /) { (9) if (&User-Name =~ / /) -> FALSE (9) if (&User-Name =~ /@[^@]*@/ ) { (9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (9) if (&User-Name =~ /\.\./ ) { (9) if (&User-Name =~ /\.\./ ) -> FALSE (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (9) if (&User-Name =~ /\.$/) { (9) if (&User-Name =~ /\.$/) -> FALSE (9) if (&User-Name =~ /@\./) { (9) if (&User-Name =~ /@\./) -> FALSE (9) } # if (&User-Name) = notfound (9) } # policy filter_username = notfound (9) [preprocess] = ok (9) [chap] = noop (9) [mschap] = noop (9) [digest] = noop (9) suffix: Checking for suffix after "@" (9) suffix: No '@' in User-Name = "admin", looking up realm NULL (9) suffix: No such realm "NULL" (9) [suffix] = noop (9) eap: No EAP-Message, not doing EAP (9) [eap] = noop (9) [files] = noop rlm_ldap (ldap): Closing connection (14): Hit idle_timeout, was idle for 160 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): Closing connection (15): Hit idle_timeout, was idle for 160 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): 0 of 0 connections in use. You may need to increase "spare" rlm_ldap (ldap): Opening additional connection (16), 1 of 32 pending slots used rlm_ldap (ldap): Connecting to ldap://ipa01.test.org:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Reserved connection (16) (9) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (9) ldap: --> (uid=admin) (9) ldap: Performing search in "cn=users,cn=accounts,dc=test,dc=org" with filter "(uid=admin)", scope "sub" (9) ldap: Waiting for search result... (9) ldap: User object found at DN "uid=admin,cn=users,cn=accounts,dc=test,dc=org" (9) ldap: Processing user attributes (9) ldap: control:Password-With-Header += '{SSHA512}rtaic2+6VABUusn0KrluEZLtSkvcTxH7SVTmJYwYtlgWqp2f2oMYIQ0AuUTrfNEutEVbn794QFmkwinsfMFihn68yrWO+Po3' rlm_ldap (ldap): Released connection (16) Need 2 more connections to reach min connections (3) rlm_ldap (ldap): Opening additional connection (17), 1 of 31 pending slots used rlm_ldap (ldap): Connecting to ldap://ipa01.test.org:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (9) [ldap] = updated (9) [expiration] = noop (9) [logintime] = noop (9) pap: Converted: &control:Password-With-Header -> &control:SSHA2-512-Password (9) pap: Removing &control:Password-With-Header (9) pap: Normalizing SSHA2-512-Password from base64 encoding, 96 bytes -> 72 bytes (9) [pap] = updated (9) } # authorize = updated (9) Found Auth-Type = PAP (9) # Executing group from file /etc/raddb/sites-enabled/default (9) Auth-Type PAP { (9) pap: Login attempt with password (9) pap: Comparing with "known-good" SSHA2-512-Password (9) pap: User authenticated successfully (9) [pap] = ok (9) } # Auth-Type PAP = ok (9) # Executing section post-auth from file /etc/raddb/sites-enabled/default (9) post-auth { (9) update { (9) No attributes updated (9) } # update = noop (9) [exec] = noop (9) policy remove_reply_message_if_eap { (9) if (&reply:EAP-Message && &reply:Reply-Message) { (9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (9) else { (9) [noop] = noop (9) } # else = noop (9) } # policy remove_reply_message_if_eap = noop (9) } # post-auth = noop (9) Sent Access-Accept Id 75 from 10.0.0.94:1812 to 10.0.5.5:22029 length 0 (9) Finished request Waking up in 4.9 seconds. (9) Cleaning up request packet ID 75 with timestamp +664 Ready to process requests Thanks, Mohiddin.