Hi everybody, I have a problem with radius. This my architecture: 1. AP 192.168.0.210 2. Radius proxy: 192.168.0.158 3. Radius server: 192.168.0.243 The operating system of both radius server and radius proxy is CentOS 7, I have installed freeradius 3.0.4. I use MySQL to store the users. When I try to connect by using the command "radtest" everything works perfectly, here the command: "radtest danilo.raspa@realm_example.com 1234 192.168.0.158 18120 password" The problem is that when I try to connect from my phone using EAP PEAP(using same danilo.raspa@realm_example.com/1234) I recieve an "Access Reject" message from the radius server (this is the error: "eap : Identity does not match User-Name, setting from EAP Identity"). Here are some other info: proxy.conf (from radius proxy) [.. default part ..] home_server server1 { type = auth ipaddr = 192.168.0.243 port = 1812 secret = password } home_server_pool server_pool { type = fail-over home_server = server1 } realm "realm_example.com" { auth_pool = server_pool } --------------------------------- mods-enabled/eap eap { default_eap_type = peap proxy_tunneled_request_as_eap = no [..] } --------------------------------- User in table radcheck from schema radius: username: danilo.raspa attribute: Cleartext-Password op: := val: 1234 --------------------------------- Log request from RADIUS PROXY: Received Access-Request Id 168 from 192.168.0.210:3126 to 192.168.0.158:1812 length 168 User-Name = 'danilo.raspa@realm_example.com' NAS-IP-Address = 192.168.0.210 NAS-Identifier = 'RalinkAP0' NAS-Port = 0 Called-Station-Id = '80-1F-02-E0-D9-00' Calling-Station-Id = 'EC-9B-F3-64-E8-00' Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201001d0164616e696c6f2e7261737061406d6f76656e64612e636f6d Message-Authenticator = 0x450b54bc468fdabb50573826f97ac97a (0) Received Access-Request packet from host 192.168.0.210 port 3126, id=168, length=168 (0) User-Name = 'danilo.raspa@realm_example.com' (0) NAS-IP-Address = 192.168.0.210 (0) NAS-Identifier = 'RalinkAP0' (0) NAS-Port = 0 (0) Called-Station-Id = '80-1F-02-E0-D9-00' (0) Calling-Station-Id = 'EC-9B-F3-64-E8-00' (0) Framed-MTU = 1400 (0) NAS-Port-Type = Wireless-802.11 (0) EAP-Message = 0x0201001d0164616e696c6f2e7261737061406d6f76656e64612e636f6d (0) Message-Authenticator = 0x450b54bc468fdabb50573826f97ac97a (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) filter_username filter_username { (0) if (!&User-Name) (0) if (!&User-Name) -> FALSE (0) if (&User-Name =~ / /) (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@.*@/ ) (0) if (&User-Name =~ /@.*@/ ) -> FALSE (0) if (&User-Name =~ /\\.\\./ ) (0) if (&User-Name =~ /\\.\\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\\.$/) (0) if (&User-Name =~ /\\.$/) -> FALSE (0) if (&User-Name =~ /@\\./) (0) if (&User-Name =~ /@\\./) -> FALSE (0) } # filter_username filter_username = notfound (0) [preprocess] = ok (0) auth_log : EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (0) auth_log : --> /var/log/radius/radacct/ 192.168.0.210/auth-detail-20170705 (0) auth_log : /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.0.210/auth-detail-20170705 (0) auth_log : EXPAND %t (0) auth_log : --> Wed Jul 5 14:55:26 2017 (0) [auth_log] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix : Checking for suffix after "@" (0) suffix : Looking up realm "realm_example.com" for User-Name = " danilo.raspa@realm_example.com" (0) suffix : Found realm "realm_example.com" (0) suffix : Adding Stripped-User-Name = "danilo.raspa" (0) suffix : Adding Realm = "realm_example.com" (0) suffix : Proxying request from user danilo.raspa to realm realm_example.com (0) suffix : Preparing to proxy authentication request to realm " realm_example.com" (0) [suffix] = updated (0) eap : Request is supposed to be proxied to Realm realm_example.com. Not doing EAP. (0) [eap] = noop (0) sql : EXPAND %{User-Name} (0) sql : --> danilo.raspa@realm_example.com (0) sql : SQL-User-Name set to 'danilo.raspa@realm_example.com' rlm_sql (sql): Reserved connection (4) (0) sql : EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (0) sql : --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'danilo.raspa@realm_example.com' ORDER BY id rlm_sql (sql): Executing query: 'SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'danilo.raspa@realm_example.com' ORDER BY id' (0) sql : User found in radcheck table (0) sql : Check items matched (0) sql : EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (0) sql : --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'danilo.raspa@realm_example.com' ORDER BY id rlm_sql (sql): Executing query: 'SELECT id, username, attribute, value, op FROM radreply WHERE username = 'danilo.raspa@realm_example.com' ORDER BY id' (0) sql : EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (0) sql : --> SELECT groupname FROM radusergroup WHERE username = ' danilo.raspa@realm_example.com' ORDER BY priority rlm_sql (sql): Executing query: 'SELECT groupname FROM radusergroup WHERE username = 'danilo.raspa@realm_example.com' ORDER BY priority' (0) sql : User not found in any groups rlm_sql (sql): Released connection (4) rlm_sql (sql): Closing connection (0), from 1 unused connections rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (3): Hit idle_timeout, was idle for 88 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (2): Hit idle_timeout, was idle for 88 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (1): Hit idle_timeout, was idle for 88 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket (0) [sql] = ok (0) [expiration] = noop (0) [logintime] = noop (0) [pap] = noop (0) } # authorize = updated Opening new proxy socket 'proxy address * port 0' Listening on proxy address * port 41438 (0) Proxying request to home server 192.168.0.243 port 1812 timeout 30.000000 (0) Sending Access-Request packet to host 192.168.0.243 port 1812, id=158, length=0 (0) User-Name = 'danilo.raspa' (0) NAS-IP-Address = 192.168.0.210 (0) NAS-Identifier = 'RalinkAP0' (0) NAS-Port = 0 (0) Called-Station-Id = '80-1F-02-E0-D9-A0' (0) Calling-Station-Id = 'EC-9B-F3-64-E8-D8' (0) Framed-MTU = 1400 (0) NAS-Port-Type = Wireless-802.11 (0) EAP-Message = 0x0201001d0164616e696c6f2e7261737061406d6f76656e64612e636f6d (0) Message-Authenticator = 0x450b54bc468fdabb50573826f97ac97a (0) Event-Timestamp = 'Jul 5 2017 14:55:26 CEST' (0) Stripped-User-Name = 'danilo.raspa' (0) Realm = 'realm_example.com' (0) EAP-Type = Identity (0) Proxy-State = 0x313638 Sending Access-Request Id 158 from 0.0.0.0:41438 to 192.168.0.243:1812 User-Name = 'danilo.raspa' NAS-IP-Address = 192.168.0.210 NAS-Identifier = 'RalinkAP0' NAS-Port = 0 Called-Station-Id = '80-1F-02-E0-D9-00' Calling-Station-Id = 'EC-9B-F3-64-E8-00' Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201001d0164616e696c6f2e7261737061406d6f76656e64612e636f6d Message-Authenticator = 0x450b54bc468fdabb50573826f97ac97a Event-Timestamp = 'Jul 5 2017 14:55:26 CEST' Proxy-State = 0x313638 Waking up in 0.3 seconds. Waking up in 0.1 seconds. (0) Expecting proxy response no later than 29.499665 seconds from now Waking up in 29.4 seconds. Received Access-Request Id 168 from 192.168.0.210:3126 to 192.168.0.158:1812 length 168 Suppressing duplicate proxied request (too fast) to home server 192.168.0.243 port 1812 proto TCP - ID: 158 Waking up in 29.0 seconds. Received Access-Reject Id 158 from 192.168.0.243:1812 to 192.168.0.158:41438 length 25 Proxy-State = 0x313638 (0) Received Access-Reject packet from host 192.168.0.243 port 1812, id=158, length=25 (0) Proxy-State = 0x313638 (0) # Executing section post-proxy from file /etc/raddb/sites-enabled/default (0) post-proxy { (0) eap : No pre-existing handler found (0) [eap] = noop (0) } # post-proxy = noop (0) Login incorrect (Home Server says so): [danilo.raspa@realm_example.com] (from client company-intranet port 0 cli EC-9B-F3-64-E8-00) (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Post-Auth-Type REJECT { (0) sql : EXPAND .query (0) sql : --> .query (0) sql : Using query template 'query' rlm_sql (sql): Reserved connection (4) (0) sql : EXPAND %{User-Name} (0) sql : --> danilo.raspa@realm_example.com (0) sql : SQL-User-Name set to 'danilo.raspa@realm_example.com' (0) sql : EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (0) sql : --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'danilo.raspa@realm_example.com', '', 'Access-Reject', '2017-07-05 14:55:26') rlm_sql (sql): Executing query: 'INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'danilo.raspa@realm_example.com', '', 'Access-Reject', '2017-07-05 14:55:26')' rlm_sql (sql): Released connection (4) rlm_sql (sql): 0 of 1 connections in use. Need more spares rlm_sql (sql): Opening additional connection (5) rlm_sql_mysql: Starting connect to MySQL server (0) [sql] = ok (0) attr_filter.access_reject : EXPAND %{User-Name} (0) attr_filter.access_reject : --> danilo.raspa@realm_example.com (0) attr_filter.access_reject : Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) eap : Request was previously rejected, inserting EAP-Failure (0) [eap] = updated (0) remove_reply_message_if_eap remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else else { (0) [noop] = noop (0) } # else else = noop (0) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Delaying response for 1 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (0) Sending delayed response (0) Sending Access-Reject packet to host 192.168.0.210 port 3126, id=168, length=0 (0) EAP-Message = 0x04010004 (0) Message-Authenticator = 0x00000000000000000000000000000000 Sending Access-Reject Id 168 from 192.168.0.158:1812 to 192.168.0.210:3126 EAP-Message = 0x04010004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 168 with timestamp +88 Ready to process requests --------------------------------- Log request from RADIUS SERVER: Received Access-Request Id 158 from 192.168.0.158:41438 to 192.168.0.243:1812 length 167 User-Name = 'danilo.raspa' NAS-IP-Address = 192.168.0.210 NAS-Identifier = 'RalinkAP0' NAS-Port = 0 Called-Station-Id = '80-1F-02-E0-D9-00' Calling-Station-Id = 'EC-9B-F3-64-E8-00' Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201001d0164616e696c6f2e7261737061406d6f76656e64612e636f6d Message-Authenticator = 0x1a099d1b62181477dc9bd471b56d829e Event-Timestamp = 'Jul 5 2017 14:55:26 CEST' Proxy-State = 0x313638 (0) Received Access-Request packet from host 192.168.0.158 port 41438, id=158, length=167 (0) User-Name = 'danilo.raspa' (0) NAS-IP-Address = 192.168.0.210 (0) NAS-Identifier = 'RalinkAP0' (0) NAS-Port = 0 (0) Called-Station-Id = '80-1F-02-E0-D9-00' (0) Calling-Station-Id = 'EC-9B-F3-64-E8-00' (0) Framed-MTU = 1400 (0) NAS-Port-Type = Wireless-802.11 (0) EAP-Message = 0x0201001d0164616e696c6f2e7261737061406d6f76656e64612e636f6d (0) Message-Authenticator = 0x1a099d1b62181477dc9bd471b56d829e (0) Event-Timestamp = 'Jul 5 2017 14:55:26 CEST' (0) Proxy-State = 0x313638 (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) filter_username filter_username { (0) if (!&User-Name) (0) if (!&User-Name) -> FALSE (0) if (&User-Name =~ / /) (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@.*@/ ) (0) if (&User-Name =~ /@.*@/ ) -> FALSE (0) if (&User-Name =~ /\\.\\./ ) (0) if (&User-Name =~ /\\.\\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\\.$/) (0) if (&User-Name =~ /\\.$/) -> FALSE (0) if (&User-Name =~ /@\\./) (0) if (&User-Name =~ /@\\./) -> FALSE (0) } # filter_username filter_username = notfound (0) [preprocess] = ok (0) auth_log : EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (0) auth_log : --> /var/log/radius/radacct/ 192.168.0.158/auth-detail-20170705 (0) auth_log : /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.0.158/auth-detail-20170705 (0) auth_log : EXPAND %t (0) auth_log : --> Wed Jul 5 14:55:26 2017 (0) [auth_log] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix : Checking for suffix after "@" (0) suffix : No '@' in User-Name = "danilo.raspa", looking up realm NULL (0) suffix : No such realm "NULL" (0) [suffix] = noop (0) eap : Peer sent code Response (2) ID 1 length 29 (0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = EAP (0) # Executing group from file /etc/raddb/sites-enabled/default (0) authenticate { (0) eap : Identity does not match User-Name, setting from EAP Identity <-----[I think that the problem is HERE!!] (0) eap : Failed in handler (0) [eap] = invalid (0) } # authenticate = invalid (0) Failed to authenticate the user (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Post-Auth-Type REJECT { (0) sql : EXPAND .query (0) sql : --> .query (0) sql : Using query template 'query' rlm_sql (sql): Reserved connection (4) (0) sql : EXPAND %{User-Name} (0) sql : --> danilo.raspa (0) sql : SQL-User-Name set to 'danilo.raspa' (0) sql : EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (0) sql : --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'danilo.raspa', '', 'Access-Reject', '2017-07-05 14:55:26') rlm_sql (sql): Executing query: 'INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'danilo.raspa', '', 'Access-Reject', '2017-07-05 14:55:26')' rlm_sql (sql): Released connection (4) (0) [sql] = ok (0) attr_filter.access_reject : EXPAND %{User-Name} (0) attr_filter.access_reject : --> danilo.raspa (0) attr_filter.access_reject : Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) eap : Identity does not match User-Name, setting from EAP Identity (0) eap : Failed to get handler, probably already removed, not inserting EAP-Failure (0) [eap] = noop (0) remove_reply_message_if_eap remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else else { (0) [noop] = noop (0) } # else else = noop (0) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Delaying response for 1 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (0) Sending delayed response (0) Sending Access-Reject packet to host 192.168.0.158 port 41438, id=158, length=0 (0) Proxy-State = 0x313638 Sending Access-Reject Id 158 from 192.168.0.243:1812 to 192.168.0.158:41438 Proxy-State = 0x313638 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 158 with timestamp +7 Ready to process requests ---------------------------------------- Thanks in advance Danilo Raspa