Hi, I have an installation with Samba 4.3.x (with winbindd) and FreeRadius 3.0.11. I want authentication with Windows AD and authorization with Windows AD LDAP. I am trying setup the PEAP mschap wifi and get the following error when /usr/local/bin/radtest radius tycbf@179963 localhost 0 testing123 Ready to process requests (1) Received Access-Request Id 160 from 127.0.0.1:22166 to 127.0.0.1:1812 length 76 (1) User-Name = "radius" (1) User-Password = "tycbf@179963" (1) NAS-IP-Address = 10.200.1.7 (1) NAS-Port = 0 (1) Message-Authenticator = 0xbd3d0852f4606cda7488d1198c4387bc (1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "radius", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: No EAP-Message, not doing EAP (1) [eap] = noop (1) [files] = noop rlm_ldap (ldap): Closing connection (1): Hit idle_timeout, was idle for 1543 seconds rlm_ldap (ldap): Closing connection (2): Hit idle_timeout, was idle for 1543 seconds rlm_ldap (ldap): Closing connection (3): Hit idle_timeout, was idle for 1543 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): Closing connection (4): Hit idle_timeout, was idle for 1543 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): Closing connection (5): Hit idle_timeout, was idle for 1537 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): 0 of 0 connections in use. You may need to increase "spare" rlm_ldap (ldap): Opening additional connection (6), 1 of 32 pending slots used rlm_ldap (ldap): Connecting to ldap://10.100.100.10:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Reserved connection (6) (1) ldap: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}}) (1) ldap: --> (samaccountname=radius) (1) ldap: Performing search in "dc=sgcom,dc=co,dc=sg" with filter "(samaccountname=radius)", scope "sub" (1) ldap: Waiting for search result... rlm_ldap (ldap): Rebinding to URL ldap:// DomainDnsZones.sgcom.co.sg/DC=DomainDnsZones,DC=sgcom,DC=co,DC=sg rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldap:// ForestDnsZones.sgcom.co.sg/DC=ForestDnsZones,DC=sgcom,DC=co,DC=sg rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldap:// sgcom.co.sg/CN=Configuration,DC=sgcom,DC=co,DC=sg rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful (1) ldap: User object found at DN "CN=radius,OU=LPK USERS,DC=sgcom,DC=co,DC=sg" (1) ldap: Processing user attributes (1) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute (1) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure) rlm_ldap (ldap): Deleting connection (6) rlm_ldap (ldap): Need 3 more connections to reach 10 spares rlm_ldap (ldap): Opening additional connection (7), 1 of 32 pending slots used rlm_ldap (ldap): Connecting to ldap://10.100.100.10:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (1) [ldap] = ok (1) [expiration] = noop (1) [logintime] = noop (1) } # authorize = ok (1) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (1) Failed to authenticate the user (1) Using Post-Auth-Type Reject (1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (1) Post-Auth-Type REJECT { (1) attr_filter.access_reject: EXPAND %{User-Name} (1) attr_filter.access_reject: --> radius (1) attr_filter.access_reject: Matched entry DEFAULT at line 11 (1) [attr_filter.access_reject] = updated (1) [eap] = noop (1) policy remove_reply_message_if_eap { (1) if (&reply:EAP-Message && &reply:Reply-Message) { (1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (1) else { (1) [noop] = noop (1) } # else = noop (1) } # policy remove_reply_message_if_eap = noop (1) } # Post-Auth-Type REJECT = updated (1) Delaying response for 1.000000 seconds Waking up in 0.9 seconds. (1) Sending delayed response (1) Sent Access-Reject Id 160 from 127.0.0.1:1812 to 127.0.0.1:22166 length 20 Waking up in 3.9 seconds. (1) Cleaning up request packet ID 160 with timestamp +1543