Hello Everyone, I know I'll probably be berated with this and be told to read the documentation and the debug messages, but I'm at my whits end with this and would like a little direction, even if it a man page or something in the debug messages I missed. Okay, 802.1x for wireless works great when I'm using the default config files. I use the automatically generated cert and create a few users in the users config file. Here is the debug of that user authenticating: rad_recv: Access-Request packet from host 192.168.30.4 port 3072, id=0, length=221 Cleaning up request 31 ID 0 with timestamp +213 User-Name = "nick" NAS-IP-Address = 192.168.30.4 Called-Station-Id = "001217aa3fb7" Calling-Station-Id = "001b6301f74e" NAS-Identifier = "001217aa3fb7" NAS-Port = 56 Framed-MTU = 1400 State = 0xac75dd7bab7cc420d50c8e10f23f3553 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0209005b19001703010050e718360d0f11185fd80d47ada34e743f15ee4fe717bd546fdb0905964163642ec8de6d49e13fdaee97c1777c7729e8041f34f305d47aaabc0fc4814e76a3e2e69252faad5440929c8acf736479c90437 Message-Authenticator = 0x9c1f8ace22588eebd7a7e207c67d2910 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "nick", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 9 length 91 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x0209003f1a0209003a3172435718fc889114f133ce5f13aa7e3a00000000000000008cacb226a61d81100b7f0313485b86d7fba9bedb93207397006e69636b server { PEAP: Setting User-Name to nick Sending tunneled request EAP-Message = 0x0209003f1a0209003a3172435718fc889114f133ce5f13aa7e3a00000000000000008cacb226a61d81100b7f0313485b86d7fba9bedb93207397006e69636b FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "nick" State = 0xa4d2ade0a4dbb70aa318d5923f95834c server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "nick", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 9 length 63 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry nick at line 60 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv2 for nick with NT-Password [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010a00331a0309002e533d35363630433534303036413841374444344632424236373344374337413542324634464431333331 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa4d2ade0a5d8b70aa318d5923f95834c [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010a00331a0309002e533d35363630433534303036413841374444344632424236373344374337413542324634464431333331 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa4d2ade0a5d8b70aa318d5923f95834c [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.30.4 port 3072 EAP-Message = 0x010a005b190017030100506b9a851f88d541fab50c47c1df1b0f06e628cea25b716609ff7d21ffebf29b985165fdd96ab6f1b3dc4c2d5840af2cf164d2239c46fe412099ed9a43c2b6a4671d194f2a97c8a71b46a2194d27b2b16b Message-Authenticator = 0x00000000000000000000000000000000 State = 0xac75dd7ba47fc420d50c8e10f23f3553 Finished request 32. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.30.4 port 3072, id=0, length=173 Cleaning up request 32 ID 0 with timestamp +213 User-Name = "nick" NAS-IP-Address = 192.168.30.4 Called-Station-Id = "001217aa3fb7" Calling-Station-Id = "001b6301f74e" NAS-Identifier = "001217aa3fb7" NAS-Port = 56 Framed-MTU = 1400 State = 0xac75dd7ba47fc420d50c8e10f23f3553 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020a002b19001703010020851f2695f1f66ef9a35dcb76dfa176acd5c47a131a8580c47eba67a5df577f00 Message-Authenticator = 0xdf5e02143bd04f312f52bdd368e70e7a +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "nick", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 10 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020a00061a03 server { PEAP: Setting User-Name to nick Sending tunneled request EAP-Message = 0x020a00061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "nick" State = 0xa4d2ade0a5d8b70aa318d5923f95834c server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "nick", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 10 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry nick at line 60 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] returns ok } # server inner-tunnel [peap] Got tunneled reply code 2 EAP-Message = 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "nick" [peap] Got tunneled reply RADIUS code 2 EAP-Message = 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "nick" [peap] Tunneled authentication was successful. [peap] SUCCESS ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.30.4 port 3072 EAP-Message = 0x010b002b190017030100204c7bbda36687bbec748250a331403e85fcb9bc35f2a071afec4b072eb3cd8cc4 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xac75dd7ba57ec420d50c8e10f23f3553 Finished request 33. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.30.4 port 3072, id=0, length=173 Cleaning up request 33 ID 0 with timestamp +214 User-Name = "nick" NAS-IP-Address = 192.168.30.4 Called-Station-Id = "001217aa3fb7" Calling-Station-Id = "001b6301f74e" NAS-Identifier = "001217aa3fb7" NAS-Port = 56 Framed-MTU = 1400 State = 0xac75dd7ba57ec420d50c8e10f23f3553 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020b002b1900170301002018ce02e38e6c00b421658c4aedcbaa9b965e8c1c089954ec6a1fcc992a1468f8 Message-Authenticator = 0x48b93f3e89b5fc5a91a3d77f26ae3f35 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "nick", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 11 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Success [eap] Freeing handler ++[eap] returns ok +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 0 to 192.168.30.4 port 3072 MS-MPPE-Recv-Key = 0xa65e123a8723dbf8daff315d9eeefead767d1bf58f191a8cd2f14a3202535776 MS-MPPE-Send-Key = 0xfc919ac8721cfbf8ce4e09f20a9da90f63e65645ece3c293a878c58d7ae41af2 EAP-Message = 0x030b0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "nick" Finished request 34. Going to the next request Waking up in 4.9 seconds. Cleaning up request 34 ID 0 with timestamp +214 Ready to process requests. ------------------------------------ And here is is when I configure the modules/ldap. This is with LDAP enabled for authentication in the sites-enabled/inner-tunnel with nothing else changed: rad_recv: Access-Request packet from host 192.168.30.4 port 3072, id=0, length=121 User-Name = "zack" NAS-IP-Address = 192.168.30.4 Called-Station-Id = "001217aa3fb7" Calling-Station-Id = "001b6301f74e" NAS-Identifier = "001217aa3fb7" NAS-Port = 56 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02000009017a61636b Message-Authenticator = 0xba6a39bbf4d30c64ad62ca8af7de1e40 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "zack", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 9 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.30.4 port 3072 EAP-Message = 0x0101001604103d559c382e7e5d5dedb960b8107f467e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7a53d4d47a52d007e61d2d43d148851e Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.30.4 port 3072, id=0, length=121 Cleaning up request 0 ID 0 with timestamp +34 User-Name = "zack" NAS-IP-Address = 192.168.30.4 Called-Station-Id = "001217aa3fb7" Calling-Station-Id = "001b6301f74e" NAS-Identifier = "001217aa3fb7" NAS-Port = 56 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02000009017a61636b Message-Authenticator = 0x3fa8484f6dc6f4a9dab5fccb4646fcf5 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "zack", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 9 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.30.4 port 3072 EAP-Message = 0x01010016041082fa9d0faaabc4dbae49e8c8fd2b8081 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0b7341550b724572c83e07f2140503b9 Finished request 1. Going to the next request Waking up in 4.9 seconds. Cleaning up request 1 ID 0 with timestamp +35 Ready to process requests. ----------------------------------- Again, I'm prepared to be told to look here or look there. I just need some guidence. :) --Nick