Hello, I have two freeradius v2.1.3-1 servers setup to run with redundant load balancing with two Windows Active Directory LDAP servers for authentication. When the LDAP servers are running the radius will load-balance between them and authenticate fine. If I shut the primary LDAP server down radius doesn't authenticate properly against the second LDAP server. I have tested the secondary LDAP as the the primary in the radius configuration and it works fine. If I change the radius config to have a bogus primary name it will then authenticate with the secondary fine. But when it has the correct name and the primary is down the authentication fails. I believe it may have something to do with ntlm_auth but I don't understand why as in the other test instances with the bogus name it works. Below is the LDAP portion of my server along with a part of the debug of what happens when I shutdown the primary LDAP server. If anyone has any suggestions it would be much appreciated. Thank you, Justin Radius.conf ************************************************************************************************* ldap ds-01 { server = "ldap1.domain.org" port = 3268 identity = " bob@domain.org " password = "****" basedn = "dc=domain,dc=org" filter = "(sAMAccountname=%{mschap:User-Name:-%{User-Name}})" ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no groupname_attribute = cn groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" groupmembership_attribute = memberOf } ldap ds-02 { server = "ldap2.domain.org" port = 3268 identity = "****" password = "****" basedn = "dc=domain,dc=org" filter = "(sAMAccountname=%{mschap:User-Name:-%{User-Name}})" ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no groupname_attribute = cn groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" groupmembership_attribute = memberOf } instantiate { exec expr expiration logintime redundant-load-balance redundant_ldap { ds-01 ds-02 } } **************************************************************************************************** Debug file portion that points to ntlm_auth (as you can see the redundancy works except the ms-chap portion) **************************************************************************************************** ++- entering redundant-load-balance group redundant_ldap {...} [ds-01] performing user authorization for DoeJ [ds-01] expand: (sAMAccountname=%{mschap:User-Name:-%{User-Name}}) -> (sAMAccountname=DoeJ) [ds-01] expand: dc=domain,dc=org -> dc=domain,dc=org rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap1.domain.org:3268, authentication 0 rlm_ldap: bind as bob@domain.org/**** to ldap1.domain.org:3268 rlm_ldap: bob@domain.org bind to ldap1.domain.org:3268 failed: Can't contact LDAP server rlm_ldap: (re)connection attempt failed [ds-01] search failed rlm_ldap: ldap_release_conn: Release Id: 0 +++[ds-01] returns fail [ds-02] performing user authorization for DoeJ [ds-02] expand: (sAMAccountname=%{mschap:User-Name:-%{User-Name}}) -> (sAMAccountname=DoeJ) [ds-02] expand: dc=domain,dc=org -> dc=domain,dc=org rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=domain,dc=org, with filter (sAMAccountname=DoeJ) [ds-02] looking for check items in directory... [ds-02] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ds-02] user DoeJ authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[ds-02] returns ok ++- redundant-load-balance group redundant_ldap returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for DoeJ with NT-Password [mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [mschap] expand: --username=%{Stripped-User-Name:-%{mschap:User-Name}} -> --username=DoeJ [mschap] mschap2: 4d [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=92aa0495d9c105f7 [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=ab395391ee828796a6b2458cf767e8fa87eb8530457f7b67 Exec-Program output: No logon servers (0xc000005e) Exec-Program-Wait: plaintext: No logon servers (0xc000005e) Exec-Program: returned: 1 [mschap] External script failed. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. Login incorrect: [domain\\DoeJ] (from client switch-man-lan port 0 via TLS tunnel) ****************************************************************************************************