I have FreeRADIUS setup do LDAP authentication against AD and also PEAP which ultimately uses ntlm_auth against AD. Both work fine for the most part except some users that I have started to add to the PEAP enabled wireless network. If I connect to this network, I authenticate fine. If one of these other accounts connects, the authentication fails for some reason. Here are the entries from the radius.log file: Thu Jun 12 13:21:25 2008 : Auth: Login OK: [DOMAIN\\user1] (from client WLANCTRLR1 port 0) Thu Jun 12 13:21:25 2008 : Auth: Login OK: [DOMAIN\\user1] (from client WLANCTRLR1 port 1 cli 00-0E-35-6F-A3-7D) Thu Jun 12 13:21:54 2008 : Auth: Login incorrect (rlm_ldap: User not found): [DOMAIN\\nonworkinguser/<via Auth-Type = EAP>] (from client WLANCTRLR1 port 0) Thu Jun 12 13:21:54 2008 : Auth: Login incorrect: [DOMAIN\\nonworkinguser/<via Auth-Type = EAP>] (from client WLANCTRLR1 port 1 cli 00-0C-F1-12-49-DD) Thu Jun 12 13:22:12 2008 : Auth: Login incorrect (rlm_ldap: User not found): [DOMAIN\\nonworkinguser/<via Auth-Type = EAP>] (from client WLANCTRLR1 port 0) Thu Jun 12 13:22:12 2008 : Auth: Login incorrect: [DOMAIN\\nonworkinguser/<via Auth-Type = EAP>] (from client WLANCTRLR1 port 1 cli 00-0C-F1-12-49-DD) Thu Jun 12 13:23:04 2008 : Auth: Login OK: [DOMAIN\\user1] (from client WLANCTRLR1 port 0) Thu Jun 12 13:23:04 2008 : Auth: Login OK: [DOMAIN\\user1] (from client WLANCTRLR1 port 2 cli 00-0E-35-6F-A3-7D) If I try the samba authentication from a command line on the FreeRADIUS server, it completes successfully: [root@RADIUS1 raddb]# /usr/local/samba/bin/wbinfo -a nonworkinguser%testpassword plaintext password authentication succeeded challenge/response password authentication succeeded If I test authentication of the user using radtest, it works fine and is able to find the user: [root@RADIUS2 ~]# radtest nonworkinguser testpassword 10.1.1.1 1 testing123 Sending Access-Request of id 221 to 10.1.1.1 port 1812 User-Name = "nonworkinguser" User-Password = "testpassword" NAS-IP-Address = 127.0.0.1 NAS-Port = 1 rad_recv: Access-Accept packet from host 10.1.1.1 port 1812, id=221, length=20 What I believe to be the relevant part of the radiusd -X output is: auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for nonworkinguser with NT-Password expand: --username=%{mschap:User-Name} -> --username=nonworkinguser mschap2: 85 expand: --challenge=%{mschap:Challenge:-00} -> --challenge=3c2921ed60ab0f28 expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=9b2c345dd9585a0b79b19cd2fe360474a737271903b6989c Exec-Program output: Logon failure (0xc000006d) Exec-Program-Wait: plaintext: Logon failure (0xc000006d) Exec-Program: returned: 1 rlm_mschap: External script failed. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject rlm_eap: Freeing handler ++[eap] returns reject auth: Failed to validate the user. Login incorrect (rlm_ldap: User not found): [DOMAIN\\nonworkinguser/<via Auth-Type = EAP>] (from client WLANCTRLR1 port 0) PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE ++[eap] returns handled Anyone have any ideas as to what the problem might be?