Hello all, I've been trying to authentication LAN on Cisco 2960 Switch. I've done configurations with PAP but this is the first time working with EAP. I have run into a bit of an issue. I receive a 'fatal :access denied error' in the debug log while testing with a single client. Radius version is 3.0.12 Please find full debug log attached as it was quite long, along with my defaults file , eap module file and inner tunnel. the Error as shown in debug output : (6) Received Access-Request Id 111 from 10.10.99.5:1645 to 115.186.154.51:1812 length 208 (6) User-Name = "inzamam.shafiq" (6) Service-Type = Framed-User (6) Framed-MTU = 1500 (6) Called-Station-Id = "F4-1F-C2-29-F2-04" (6) Calling-Station-Id = "5C-B9-01-40-7A-51" (6) EAP-Message = 0x0207002f1980000000251503010020c16512711bcb968946945393a285231d100f4ad033f9b228472d29b6fe0f9330 (6) Message-Authenticator = 0xe7d930474f3ffad35c235370b081c91f (6) NAS-Port-Type = Ethernet (6) NAS-Port = 50004 (6) NAS-Port-Id = "FastEthernet0/4" (6) State = 0x83dbc94886dcd087405afa3e400f12a5 (6) NAS-IP-Address = 10.10.99.5 (6) session-state: No cached attributes (6) # Executing section authorize from file /etc/raddb/sites-enabled/default (6) authorize { (6) [preprocess] = ok (6) auth_log: EXPAND /var/log/radius/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (6) auth_log: --> /var/log/radius/log/radius/radacct/10.10.99.5/auth-detail-20170308 (6) auth_log: /var/log/radius/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/log/radius/radacct/10.10.99.5/auth-detail-20170308 (6) auth_log: EXPAND %t (6) auth_log: --> Wed Mar 8 11:05:41 2017 (6) [auth_log] = ok (6) [digest] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "inzamam.shafiq", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) eap: Peer sent EAP Response (code 2) ID 7 length 47 (6) eap: Continuing tunnel setup (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = eap (6) # Executing group from file /etc/raddb/sites-enabled/default (6) authenticate { (6) eap: Expiring EAP session with state 0x83dbc94886dcd087 (6) eap: Finished EAP session with state 0x83dbc94886dcd087 (6) eap: Previous EAP request found for state 0x83dbc94886dcd087, released from the list (6) eap: Peer sent packet with method EAP PEAP (25) (6) eap: Calling submodule eap_peap to process data (6) eap_peap: Continuing EAP-TLS (6) eap_peap: Peer indicated complete TLS record size will be 37 bytes (6) eap_peap: Got complete TLS record (37 bytes) (6) eap_peap: [eaptls verify] = length included (6) eap_peap: <<< recv TLS 1.0 Alert [length 0002], fatal access_denied (6) eap_peap: ERROR: TLS Alert read:fatal:access denied (6) eap_peap: WARNING: No data inside of the tunnel (6) eap_peap: [eaptls process] = ok (6) eap_peap: Session established. Decoding tunneled attributes (6) eap_peap: PEAP state ? (6) eap_peap: ERROR: Tunneled data is invalid (6) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed (6) eap: Sending EAP Failure (code 4) ID 7 length 4 (6) eap: Failed in EAP select (6) [eap] = invalid (6) } # authenticate = invalid (6) Failed to authenticate the user (6) Using Post-Auth-Type Reject (6) # Executing group from file /etc/raddb/sites-enabled/default (6) Post-Auth-Type REJECT { (6) sql: EXPAND .query (6) sql: --> .query (6) sql: WARNING: No such configuration item .query (6) [sql] = noop (6) } # Post-Auth-Type REJECT = noop (6) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (6) Sending delayed response (6) Sent Access-Reject Id 111 from 115.186.154.51:1812 to 10.10.99.5:1645 length 44 (6) EAP-Message = 0x04070004 (6) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 105 with timestamp +9 (1) Cleaning up request packet ID 106 with timestamp +9 (2) Cleaning up request packet ID 107 with timestamp +9 (3) Cleaning up request packet ID 108 with timestamp +10 (4) Cleaning up request packet ID 109 with timestamp +10 (5) Cleaning up request packet ID 110 with timestamp +10 (6) Cleaning up request packet ID 111 with timestamp +10 Ready to process requests I read that radius works with EAP out of the box. I'm sorry I don't have more troubleshooting info as I couldnt figure out how to move forward from here. If I could be pointed in the right direction it would be greatly appreciated. Please let me know if further information is required. BR/Mustafa.