when I use the with-ntdomain-hack=no the result is :
Where is that line? You should enable it in mschap module. It shouldn't have any effect on EAP Identity.
I use it in preprocess file, now I set it in mschap module too
[peap] Had sent TLV failure. User was rejected earlier in this session.
Debug you posted is useless. You have deleted the important bits.
I think peap is work good, don't it? ( ... [peap] (other): SSL negotiation finished successfully ... [peap] EAPTLS_SUCCESS ... ) machap module: mschap { with_ntdomain_hack = no } --------------------- eap.conf file: eap { default_eap_type = tls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 leap { } gtc { #challenge = "Password: " auth_type = PAP } tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = pass private_key_file = ${certdir}/server.pem certificate_file = ${certdir}/server.pem CA_file = ${cadir}/ca.pem dh_file = ${certdir}/dh random_file = ${certdir}/random fragment_size = 1024 include_length = yes cache { enable = no lifetime = 24 # hours max_entries = 255 } } ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } peap default_eap_type = mschapv2 virtual_server = "inner-tunnel" } mschapv2 { } } -------------------------------------- here is the debug, I hope it is usefull: [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 70 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0041], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 084e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 97 to 192.168.1.1 port 1812 EAP-Message = 0x0103040019c00000088b160301002a0200002603014922ab54fa757c7768f8d465c3e5679f3e35b71e1933e5aad7ad7d60b6ea8d2900000400160301084e0b00084a000847000396308203923082027aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479 EAP-Message = 0x301e170d3038313131323134313231355a170d3039313131323134313231355a306c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e311330110603550403130a736572766572636572743120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a02820101009cf50fd32f4c11e95fb8dc2e365a1d0246c0dd39e616ed0621a36edea241836b39bd38ab2b008b2c1f00f8034d31664e0557ef16daa4bb8bc6ba05765b46be150ed10a90e18a960a1f634a300c1a EAP-Message = 0x40ab58da8da31c607e05e359781ed7bc73b443c21c46eca871ae4fe72627cae7b5222852bc50b9d843f4e53469f51cf84726dca616c85e804c839b438a187a28e03872af3a01265ffd51d37f15c2df5007e264948a2b44ddf367268123db200c007408528d35296009e884ef9ecc648a754ef6e674d33abbc466178cf1c51b91cdf50d235e70bdb043237d47809a89fb628f3be91d318ffbe70b7df70cf74e8ff0b2fb66996b64863074f2daef8da1ac411d0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000382010100a966a877dac3f553bc1350f31aa5e89da01a9b3cd7d3488016 EAP-Message = 0x63fd1c780ae69af09d1200e1d3aaf514ee8fecc8e182a4e5e900727a4988e9e644fb5fc351a3553558a96ebed4db761b2d1c4cd5ac978ae2234d02ca514a4f4fc4ff5e13cd2f805b3f1b50e9bcd42a32487d04160d3d6eee0b5d15890f2d7cbd201ccdfad9806f2d2b993e71e341d817ef31ff6c8906f89b2a5673a7368d166a2244a65f2de426e322dbcfb114e8d9c08ebadae09c411838c274b4834b4eaa6aee7590b643bcff77057eb94525185e1cf3e760f675d104ff5fdd43f5e8b119806300db9913112fb38ae30721c6702080822add762cf9101134bc2159370d4739f94f41bcce10940004ab308204a73082038fa00302010202090089def0 EAP-Message = 0x223a727e53300d06092a8648 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf9af3e19fbac2729f634465079c20687 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 1812, id=98, length=168 NAS-IP-Address = 192.168.1.1 NAS-Port = 50003 Cisco-NAS-Port = "FastEthernet0/3" NAS-Port-Type = Ethernet User-Name = "ROUTER\\Hege" Called-Station-Id = "00-09-B7-94-CA-83" Calling-Station-Id = "00-13-D4-E7-B3-FB" Service-Type = Framed-User Framed-MTU = 1500 State = 0xf9af3e19fbac2729f634465079c20687 EAP-Message = 0x020300061900 Message-Authenticator = 0x0dd953ac5a0b9ac9d33afc8f9e85cb8c +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ROUTER\Hege", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 98 to 192.168.1.1 port 1812 EAP-Message = 0x010403fc194086f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3038313131323134303630325a170d3038313231323134303630325a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013 EAP-Message = 0x060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100d6254f5b7dca4a0429bfeb81eb3f2c33c1aee1cd37b8ab285ea762e728c89b92c9f6def3ae3ef2565c7d0c3a891cf07ab0de99232fedd2193b10026f2a52d7159f7adfabdd33289b653d7fa230c2f8acd2b3b12ff946c4c456e621e40d02debbb2272f619896e75707de5011751d5e5798e76629161e09de868a818d8c15c6 EAP-Message = 0xb3b6bc37dc8b7360ebafa08a472f4f08324f94baf52176c33a70c2a3e9859860d4a38b2ddba21ec57d28f0db6ba26499df7b7f38b79636bef4e2a3eede3270d5ea1e362405db07ee761236044f7cdcb444c807b186307d62ae4a62f54ae4d9c00dc7ffc74703b67da9de4cdba901ed955bd5e0290a23f22ea98587a165e4a48dbf0203010001a381fb3081f8301d0603551d0e04160414bfc663b94da2edbfe2e3496d345fefb975df680c3081c80603551d230481c03081bd8014bfc663b94da2edbfe2e3496d345fefb975df680ca18199a48196308193310b3009060355040613024652310f300d0603550408130652616469757331123010060355 EAP-Message = 0x04071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747982090089def0223a727e53300c0603551d13040530030101ff300d06092a864886f70d010105050003820101004d7a670b516773d9e34798399495b4fb7f173248f96bd51f14015a5b0502b7d8193759e4508aad49c44e9ee0b0a3a0ccb6655c85d6218c0f8ee982ba16ef6393c5415edadcc63381337d3f6f5fc764c287a968fe86f9050e4a30038ce45d83306fb5 EAP-Message = 0x6478ad919a40d53b Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf9af3e19faab2729f634465079c20687 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 1812, id=99, length=168 NAS-IP-Address = 192.168.1.1 NAS-Port = 50003 Cisco-NAS-Port = "FastEthernet0/3" NAS-Port-Type = Ethernet User-Name = "ROUTER\\Hege" Called-Station-Id = "00-09-B7-94-CA-83" Calling-Station-Id = "00-13-D4-E7-B3-FB" Service-Type = Framed-User Framed-MTU = 1500 State = 0xf9af3e19faab2729f634465079c20687 EAP-Message = 0x020400061900 Message-Authenticator = 0x2903cae7a8b539c0052a57fdf5fa17ad +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ROUTER\Hege", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 99 to 192.168.1.1 port 1812 EAP-Message = 0x010500a5190050d2fe7290c9148457049118d051c1aed898c63ba4b4137717f010d720d687dfc94a4a1a6ceadf41c02795724b4842f9951646b1149fd1170c091d11b023eda2cd60bec931560c747702eef5b5ff49fde1d2246fe8edfe998ce57398fa375afac3f1314e3086e6586872bd3a0572c271c08c0c715c3a51c38655c6f13d4d315c364c87b365e3d69bd361418fca16894de67fe5086b2a16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf9af3e19fdaa2729f634465079c20687 Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 1812, id=100, length=484 NAS-IP-Address = 192.168.1.1 NAS-Port = 50003 Cisco-NAS-Port = "FastEthernet0/3" NAS-Port-Type = Ethernet User-Name = "ROUTER\\Hege" Called-Station-Id = "00-09-B7-94-CA-83" Calling-Station-Id = "00-13-D4-E7-B3-FB" Service-Type = Framed-User Framed-MTU = 1500 State = 0xf9af3e19fdaa2729f634465079c20687 EAP-Message = 0x020501401980000001361603010106100001020100531fcfd0446c581fbfbc50ddd96e5df661c19cd3c04e9cd8c72d8de897c39c4926676109afb1ca8c8bfc4ae167096c0ca7a031a1ea50727eb22ca1c046cb3ba3dda3bbc2db0126e6d8c4f1ec853827b3b0cae9cee996e718fe5267730bca196abe7fbfc02b5e5e82a579ea81e4a978287184ea63505d8d98263f9fbce51931ee718285051d7f4a80911173daa6db0b127942813da4d4f80a4a0d0b828ff35a23b1e9dea7fa669efeaee68d58c83b39b52622418ce99aa96f06fd55c7061d379cd57c395fb0c0035ce7abef33fdee64dec42d3f3429202572481a226712907cc9fe391669131484b0 EAP-Message = 0x3fa57c9f73c239293b994eec582d42a68979dddbfecb46301403010001011603010020c013ed8bfcb781f55c3ccbdb2f88bb8c6684f1e141c1f3284763121ad33ad697 Message-Authenticator = 0x1eccd1c62fcae6de90ee9ad71ee3f4c4 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ROUTER\Hege", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 310 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 100 to 192.168.1.1 port 1812 EAP-Message = 0x01060031190014030100010116030100206d497e013ac12cd59a70ed0e843cdf19c07e87dc999d2a74fa6afaf3a4d71c3f Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf9af3e19fca92729f634465079c20687 Finished request 5. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 1812, id=101, length=168 NAS-IP-Address = 192.168.1.1 NAS-Port = 50003 Cisco-NAS-Port = "FastEthernet0/3" NAS-Port-Type = Ethernet User-Name = "ROUTER\\Hege" Called-Station-Id = "00-09-B7-94-CA-83" Calling-Station-Id = "00-13-D4-E7-B3-FB" Service-Type = Framed-User Framed-MTU = 1500 State = 0xf9af3e19fca92729f634465079c20687 EAP-Message = 0x020600061900 Message-Authenticator = 0x1785840b012b68397f073225c8178e28 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ROUTER\Hege", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 101 to 192.168.1.1 port 1812 EAP-Message = 0x0107002019001703010015086a2b4c0bbe8ba0ff8b0bd8a05b4a81152567b963 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf9af3e19ffa82729f634465079c20687 Finished request 6. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 1812, id=102, length=201 NAS-IP-Address = 192.168.1.1 NAS-Port = 50003 Cisco-NAS-Port = "FastEthernet0/3" NAS-Port-Type = Ethernet User-Name = "ROUTER\\Hege" Called-Station-Id = "00-09-B7-94-CA-83" Calling-Station-Id = "00-13-D4-E7-B3-FB" Service-Type = Framed-User Framed-MTU = 1500 State = 0xf9af3e19ffa82729f634465079c20687 EAP-Message = 0x020700271900170301001ca1b8414fd75ccd01cde3fe489e7cb2426bc2b1010c7e426666c43900 Message-Authenticator = 0x95acaa8bb8f013b713401522aae4bbe6 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ROUTER\Hege", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 39 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Identity - ROUTER\Hege [peap] Got tunnled request EAP-Message = 0x0207001001524f555445525c48656765 server (null) { PEAP: Got tunneled identity of ROUTER\Hege PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to ROUTER\Hege Sending tunneled request EAP-Message = 0x0207001001524f555445525c48656765 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "ROUTER\\Hege" server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "ROUTER\Hege", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 7 length 16 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010800251a0108002010baa8bce2ab7f754af66ca37dca11bdfb524f555445525c48656765 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x13f3ed6713fbf70e77af625de147f876 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010800251a0108002010baa8bce2ab7f754af66ca37dca11bdfb524f555445525c48656765 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x13f3ed6713fbf70e77af625de147f876 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 102 to 192.168.1.1 port 1812 EAP-Message = 0x0108003c1900170301003122f781e48bee5ca858b2fadc15c1701f0b2e9d222f7b7a86a4e9ab5c9be0fd58be946282e5ae6823590353e614108f01a7 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf9af3e19fea72729f634465079c20687 Finished request 7. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 1812, id=103, length=248 NAS-IP-Address = 192.168.1.1 NAS-Port = 50003 Cisco-NAS-Port = "FastEthernet0/3" NAS-Port-Type = Ethernet User-Name = "ROUTER\\Hege" Called-Station-Id = "00-09-B7-94-CA-83" Calling-Station-Id = "00-13-D4-E7-B3-FB" Service-Type = Framed-User Framed-MTU = 1500 State = 0xf9af3e19fea72729f634465079c20687 EAP-Message = 0x020800561900170301004b8a5f812b2ebd3534c1f7bbfca7fd4254ea57cbbfe3b1b571277441e4676f8e1b169635636883c648bb7b2744288fa1a439af624aac87de7ae083cb3d455b44f1dedc4a3b5bbd01451966ba Message-Authenticator = 0xbe581a9933642f838bd86d2bf15cc1cf +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ROUTER\Hege", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 86 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunnled request EAP-Message = 0x0208003f1a0208003a31a18116247e3cf107cb80957aebda429e0000000000000000ab0bc307e1083f338935929421910d46588c08903505e85f0048656765 server (null) { PEAP: Setting User-Name to ROUTER\Hege Sending tunneled request EAP-Message = 0x0208003f1a0208003a31a18116247e3cf107cb80957aebda429e0000000000000000ab0bc307e1083f338935929421910d46588c08903505e85f0048656765 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "ROUTER\\Hege" State = 0x13f3ed6713fbf70e77af625de147f876 server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "ROUTER\Hege", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 8 length 63 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] NT Domain delimeter found, should we have enabled with_ntdomain_hack? [mschap] Told to do MS-CHAPv2 for ROUTER\Hege with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. Login incorrect: [ROUTER\\Hege/<via Auth-Type = EAP>] (from client switch port 0 via TLS tunnel) } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\010E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\010E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 103 to 192.168.1.1 port 1812 EAP-Message = 0x010900261900170301001bc71968d5cb15656ea6b482aba56df99a166bfba8c87844a6ad1c2a Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf9af3e19f1a62729f634465079c20687 Finished request 8. Going to the next request Waking up in 4.4 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 1812, id=104, length=200 NAS-IP-Address = 192.168.1.1 NAS-Port = 50003 Cisco-NAS-Port = "FastEthernet0/3" NAS-Port-Type = Ethernet User-Name = "ROUTER\\Hege" Called-Station-Id = "00-09-B7-94-CA-83" Calling-Station-Id = "00-13-D4-E7-B3-FB" Service-Type = Framed-User Framed-MTU = 1500 State = 0xf9af3e19f1a62729f634465079c20687 EAP-Message = 0x020900261900170301001b9806b1334ba9d945be522f2855f11e974d221b5b4c98dc0f8402ff Message-Authenticator = 0x7865e1d4e89a37f9d8a2daa60f56bdd6 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ROUTER\Hege", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 9 length 38 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Had sent TLV failure. User was rejected earlier in this session. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [ROUTER\\Hege/<via Auth-Type = EAP>] (from client switch port 50003 cli 00-13-D4-E7-B3-FB) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> ROUTER\Hege attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 9 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 9 Sending Access-Reject of id 104 to 192.168.1.1 port 1812 EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.4 seconds.