Hi, firstly, we are using Freeradius for all kind of authentications - and It works very good!! -> Good Job to all of you. But, lately we have some EAP-Problems mostly with windows-clients. If a user authenticated correctly, after some time he gets disconnected and tries to reauthenticate, but it fails - see Log. Also I have some questions about eap at all. How should it work correctly. because I see up to 10 Authentication-Requests until the client is authenticated correctly. For example the client wants to do EAP-PEAP (Windows-client), but the radius says EAP-NAK: rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/peap rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 231 modcall: leaving group authenticate (returns handled) for request 231 Sending Access-Challenge ... Finished request 231 What does it mean? Can I tune the process? Thank you all for your answers! Best regards FLorian Prester Log: rad_recv: Access-Request packet from host 131.188.4.190:20000, id=35, length=202 NAS-Port-Id = "2059/1" Calling-Station-Id = "00-15-00-01-C0-D1" Called-Station-Id = "00-0B-0E-15-3D-80:FAU-STAFF" Service-Type = Framed-User User-Name = "unrz06" State = 0x... EAP-Message = 0x... NAS-Port-Type = Wireless-802.11 NAS-Identifier = "Trapeze" NAS-IP-Address = 131.188.4.190 Message-Authenticator = 0x... Processing the authorize section of radiusd.conf modcall: entering group authorize for request 228 modcall[authorize]: module "preprocess" returns ok for request 228 modcall[authorize]: module "chap" returns noop for request 228 modcall[authorize]: module "mschap" returns noop for request 228 rlm_eap: EAP packet type response id 14 length 53 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 228 users: Matched entry DEFAULT at line 12 modcall[authorize]: module "files" returns ok for request 228 rlm_ldap: - authorize modcall[authorize]: module "ldap" returns ok for request 228 modcall[authorize]: module "perl" returns ok for request 228 modcall: leaving group authorize (returns updated) for request 228 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 228 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A (other): SSL negotiation finished successfully rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) SSL Connection Established rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 228 modcall: leaving group authenticate (returns reject) for request 228 auth: Failed to validate the user. Login incorrect: [unrz06] (from client QRA-MX port 0 cli 00-15-00-01-C0-D1) Sending Access-Reject of id 35 to 131.188.4.190 port 20000 EAP-Message = 0x040e0004 Message-Authenticator = 0x00000000000000000000000000000000 Finished request 228 -- Dipl. Inf. Florian Prester Network Administration Regionales RechenZentrum Erlangen Universitaet Erlangen-Nuernberg Martensstr. 1 91052 Erlangen Germany Tel.: +499131 8527813