Hi, Before beginning, sorry for my bad English, I'm French. I'm trying to implement PEAP-MSCHAPV2 support in an existing and working configuration with EAP-TTLS + PAP, giving users a full support of eduroam. There are proxy radius maintained by our national "provider", and they test authentication every 15 minutes. When they only test EAP-TTLS authentication, it works, and this is a part of the output of freeradius -X. Login OK: [user/password] (from client proxyradius port 0 cli 02-00-00-00-00-01 via TLS tunnel) +- entering group post-auth {...} [sql] expand: %{User-Name} -> user@realm [sql] sql_set_user escaped user --> 'user@realm' [sql] expand: %{User-Password} -> password [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'user@realm', 'password', 'Access-Accept', '2010-06-17 18:17:02') [sql] expand: /var/log/freeradius/sqltrace.sql -> /var/log/freeradius/sqltrace.sql rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'user@realm', 'password', 'Access-Accept', '2010-06-17 18:17:02') rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_mysql: query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'user@realm', 'password', 'Access-Accept', '2010-06-17 18:17:02') rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok expand: %{request:User-Name} -> user@realm ++[outer.reply] returns ok } # server inner-tunnel [ttls] Got tunneled reply code 2 User-Name := "user@realm" [ttls] Got tunneled Access-Accept [eap] Freeing handler ++[eap] returns ok Login OK: [anonymous/<via Auth-Type = EAP>] (from client proxyradius port 0 cli 02-00-00-00-00-01) Then, when I specify that our FreeRADIUS server support PEAP-MSCHAPV2, they test PEAP first and never receive an access-accept or access-reject request form only the outer identity, anonymous@realm. So there is the ouput : Login OK: [user/<via Auth-Type = mschap>] (from client proxyradius port 0 cli 02-00-00-00-00-01 via TLS tunnel) +- entering group post-auth {...} [sql] expand: %{User-Name} -> user@realm [sql] sql_set_user escaped user --> 'user@realm' [sql] expand: %{User-Password} -> [sql] ... expanding second conditional [sql] expand: %{Chap-Password} -> [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'user@realm', '', 'Access-Accept', '2010-06-17 15:32:07') [sql] expand: /var/log/freeradius/sqltrace.sql -> /var/log/freeradius/sqltrace.sql rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'user@realm', '', 'Access-Accept', '2010-06-17 15:32:07') rlm_sql (sql): Reserving sql socket id: 2 rlm_sql_mysql: query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'user@realm', '', 'Access-Accept', '2010-06-17 15:32:07') rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok expand: %{request:User-Name} -> user@realm ++[outer.reply] returns ok } # server inner-tunnel [ttls] Got tunneled reply code 2 User-Name := "user@realm" MS-CHAP2-Success = 0x54533d42374134413830313835384530453531383135373131384643424442444432464133384345413836 [ttls] Got tunneled Access-Accept [ttls] Got MS-CHAP2-Success, tunneling it to the client in a challenge. ++[eap] returns handled Sending Access-Challenge of id 9 to 193.51.182.121 port 35055 User-Name = "user@realm" EAP-Message = 0x010a005f1580000000551703010050f984b434f276e050b0697e427d30ddfe2c0d9cc56a8f5da6ab447bbabae115d8181dfce1b6e52f33fcd2a20d5e26f574b9be69fa946342eafbd7ea350d5782490593a260401dae6b1c71f16f30b3ab38 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcda13382c4ab2647095b27820a4b1850 Finished request 11. Going to the next request Waking up in 4.7 seconds. And then, the proxyradius sends new Access-Request and the outer identity is never accepted. But the user@realm is authenticated... I'm sorry I know you need more informations about my confs and outputs, but I don't want to make this post longer than it is... So, I can post more informations... Thank you for helping me ! J-P. _________________________________________________________________ Installez gratuitement les nouvelles Emoch'ticones ! http://www.ilovemessenger.fr/emoticones/telecharger-emoticones-emochticones....