Hi, Recently I installed freeradius server on freeipa server by following configuration, when I tried to test using radtest user <password> serverinfo 1812 somesecret getting error Received Access-Reject Id 226 from 10.0.0.95:1812 to 0.0.0.0:0 length 20 1. -: Expected Access-Accept got Access-Reject (10) Received Access-Request Id 226 from 10.0.0.95:55049 to 10.0.0.95:1812 length 83 (10) User-Name = "test@test.org" (10) User-Password = "Reflexis@0418" (10) NAS-IP-Address = 10.0.0.95 (10) NAS-Port = 1812 (10) Message-Authenticator = 0xf9fc18c97a4bc9e5e8f71bb6224f46bb (10) # Executing section authorize from file /etc/raddb/sites-enabled/ default (10) authorize { (10) policy filter_username { (10) if (&User-Name) { (10) if (&User-Name) -> TRUE (10) if (&User-Name) { (10) if (&User-Name =~ / /) { (10) if (&User-Name =~ / /) -> FALSE (10) if (&User-Name =~ /@[^@]*@/ ) { (10) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (10) if (&User-Name =~ /\.\./ ) { (10) if (&User-Name =~ /\.\./ ) -> FALSE (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (10) if (&User-Name =~ /\.$/) { (10) if (&User-Name =~ /\.$/) -> FALSE (10) if (&User-Name =~ /@\./) { (10) if (&User-Name =~ /@\./) -> FALSE (10) } # if (&User-Name) = notfound (10) } # policy filter_username = notfound (10) [preprocess] = ok (10) [chap] = noop (10) [mschap] = noop (10) [digest] = noop (10) suffix: Checking for suffix after "@" (10) suffix: Looking up realm "test.org" for User-Name = "test@test.org" (10) suffix: No such realm "test.org" (10) [suffix] = noop (10) eap: No EAP-Message, not doing EAP (10) [eap] = noop (10) [files] = noop rlm_ldap (ldap): Closing connection (11): Hit idle_timeout, was idle for 223 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): Closing connection (9): Hit idle_timeout, was idle for 169 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): Closing connection (12): Hit idle_timeout, was idle for 169 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): 0 of 0 connections in use. You may need to increase "spare" rlm_ldap (ldap): Opening additional connection (13), 1 of 32 pending slots used rlm_ldap (ldap): Connecting to ldap://rflxpnqrds02.test.org:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Reserved connection (13) (10) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (10) ldap: --> (uid=test@test.org) (10) ldap: Performing search in "dc=test,dc=org" with filter "(uid= test@test.org)", scope "sub" (10) ldap: Waiting for search result... (10) ldap: Search returned no results rlm_ldap (ldap): Released connection (13) Need 2 more connections to reach min connections (3) rlm_ldap (ldap): Opening additional connection (14), 1 of 31 pending slots used rlm_ldap (ldap): Connecting to ldap://rflxpnqrds02.test.org:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (10) [ldap] = notfound (10) if ((ok || updated) && User-Password) { (10) if ((ok || updated) && User-Password) -> FALSE (10) [expiration] = noop (10) [logintime] = noop (10) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (10) pap: WARNING: Authentication will fail unless a "known good" password is available (10) [pap] = noop (10) } # authorize = ok (10) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (10) Failed to authenticate the user (10) Using Post-Auth-Type Reject (10) # Executing group from file /etc/raddb/sites-enabled/default (10) Post-Auth-Type REJECT { (10) attr_filter.access_reject: EXPAND %{User-Name} (10) attr_filter.access_reject: --> test@test.org (10) attr_filter.access_reject: Matched entry DEFAULT at line 11 (10) [attr_filter.access_reject] = updated (10) [eap] = noop (10) policy remove_reply_message_if_eap { (10) if (&reply:EAP-Message && &reply:Reply-Message) { (10) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (10) else { (10) [noop] = noop (10) } # else = noop (10) } # policy remove_reply_message_if_eap = noop (10) } # Post-Auth-Type REJECT = updated (10) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (10) Sending delayed response (10) Sent Access-Reject Id 226 from 10.0.0.95:1812 to 10.0.0.95:55049 length 20 Waking up in 3.9 seconds. (10) Cleaning up request packet ID 226 with timestamp +756 Followed installation steps (Source : https://www.freeipa.org/page/ Using_FreeIPA_and_FreeRadius_as_a_RADIUS_based_software_ token_OTP_system_with_CentOS/RedHat_7) root@ipa ~]# yum install freeradius freeradius-utils freeradius-ldap freeradius-krb5 ... In order to configure the RADIUS server to authenticate with the software token provided by the IPA server, we must let RADIUS accept requests from your clients (including the IPA server itself), enable the default configuration to search for users in the IPA server with LDAP protocol and try to authenticate them with an LDAP bind() operation. All the RADIUS configuration files are in /etc/raddb, and most of the configuration is done by linking files from the mod-available directory to mod-enabled and then editing them as needed. As a first step, add the following lines at the beginning of clients.conf: client localnet { ipaddr = 192.168.1.0/24 proto = * secret = somesecret nas_type = other<------># localhost isn't usually a NAS... limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } In sites-enabled/default and sites-enabled/inner-tunnel replace these line # # The ldap module reads passwords from the LDAP database. -ldap with these # # The ldap module reads passwords from the LDAP database. ldap if ((ok || updated) && User-Password) { update { control:Auth-Type := ldap } } and uncomment the following lines # Auth-Type LDAP { # ldap # } As a last step, enable and configure the LDAP backend in RADIUS. Add LDAP to the enabled mods: [root@ipa raddb]# ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/ [root@ipa raddb]# Edit mods-enable/ldap to change server = "ldap.rrdns.example.org ldap.rrdns.example.org ldap.example.org" and # base_dn = "dc=example,dc=org" to server = "ipa.test.org" and base_dn = "dc=test,dc=org" To reach the RADIUS server from other clients, we must also open the firewall for the required ports: [root@ipa ~]# firewall-cmd --permanent --zone=public --add-port=1812/udp --add-port=1813/udp Success [root@ipa ~]# systemctl restart firewalld.service [root@ipa ~]# *Thanks,* Mohiddin