Hi, the authentication fails because of the realm isn't stripped. the man page says: "by default the realm is stripped ..." proxy.conf: #### just testing telesec ####### realm telesec { authhost = LOCAL secret = blabla } Debug: Tue Sep 26 08:33:47 2017 : Debug: (1) User-Name = "hans@telesec" Tue Sep 26 08:33:47 2017 : Debug: (1) User-Password = "Itmc2628" Tue Sep 26 08:33:47 2017 : Debug: (1) session-state: No State attribute Tue Sep 26 08:33:47 2017 : Debug: (1) # Executing section authorize from file /etc/freeradius/sites-enabled/default Tue Sep 26 08:33:47 2017 : Debug: (1) authorize { Tue Sep 26 08:33:47 2017 : Debug: (1) policy filter_username { Tue Sep 26 08:33:47 2017 : Debug: (1) if (&User-Name) { Tue Sep 26 08:33:47 2017 : Debug: (1) if (&User-Name) -> TRUE Tue Sep 26 08:33:47 2017 : Debug: (1) if (&User-Name) { Tue Sep 26 08:33:47 2017 : Debug: (1) if (&User-Name =~ / /) { Tue Sep 26 08:33:47 2017 : Debug: (1) if (&User-Name =~ / /) -> FALSE Tue Sep 26 08:33:47 2017 : Debug: (1) if (&User-Name =~ /@[^@]*@/ ) { Tue Sep 26 08:33:47 2017 : Debug: (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE Tue Sep 26 08:33:47 2017 : Debug: (1) if (&User-Name =~ /\.\./ ) { Tue Sep 26 08:33:47 2017 : Debug: (1) if (&User-Name =~ /\.\./ ) -> FALSE Tue Sep 26 08:33:47 2017 : Debug: (1) if (&User-Name =~ /\.$/) { Tue Sep 26 08:33:47 2017 : Debug: (1) if (&User-Name =~ /\.$/) -> FALSE Tue Sep 26 08:33:47 2017 : Debug: (1) if (&User-Name =~ /@\./) { Tue Sep 26 08:33:47 2017 : Debug: (1) if (&User-Name =~ /@\./) -> FALSE Tue Sep 26 08:33:47 2017 : Debug: (1) } # if (&User-Name) = notfound Tue Sep 26 08:33:47 2017 : Debug: (1) } # policy filter_username = notfound Tue Sep 26 08:33:47 2017 : Debug: (1) modsingle[authorize]: calling preprocess (rlm_preprocess) Tue Sep 26 08:33:47 2017 : Debug: (1) modsingle[authorize]: returned from preprocess (rlm_preprocess) Tue Sep 26 08:33:47 2017 : Debug: (1) [preprocess] = ok Tue Sep 26 08:33:47 2017 : Debug: (1) modsingle[authorize]: calling chap (rlm_chap) Tue Sep 26 08:33:47 2017 : Debug: (1) modsingle[authorize]: returned from chap (rlm_chap) Tue Sep 26 08:33:47 2017 : Debug: (1) [chap] = noop Tue Sep 26 08:33:47 2017 : Debug: (1) modsingle[authorize]: calling mschap (rlm_mschap) Tue Sep 26 08:33:47 2017 : Debug: (1) modsingle[authorize]: returned from mschap (rlm_mschap) Tue Sep 26 08:33:47 2017 : Debug: (1) [mschap] = noop Tue Sep 26 08:33:47 2017 : Debug: (1) modsingle[authorize]: calling digest (rlm_digest) Tue Sep 26 08:33:47 2017 : Debug: (1) modsingle[authorize]: returned from digest (rlm_digest) Tue Sep 26 08:33:47 2017 : Debug: (1) [digest] = noop Tue Sep 26 08:33:47 2017 : Debug: (1) modsingle[authorize]: calling suffix (rlm_realm) Tue Sep 26 08:33:47 2017 : Debug: (1) suffix: Checking for suffix after "@" Tue Sep 26 08:33:47 2017 : Debug: (1) suffix: Looking up realm "telesec" for User-Name = "hans@telesec" Tue Sep 26 08:33:47 2017 : Debug: (1) suffix: Found realm "telesec" Tue Sep 26 08:33:47 2017 : Debug: (1) suffix: Adding Stripped-User-Name = "hans" Tue Sep 26 08:33:47 2017 : Debug: (1) suffix: Adding Realm = "telesec" Tue Sep 26 08:33:47 2017 : Debug: (1) suffix: Authentication realm is LOCAL Tue Sep 26 08:33:47 2017 : Debug: (1) modsingle[authorize]: returned from suffix (rlm_realm) Tue Sep 26 08:33:47 2017 : Debug: (1) [suffix] = ok Tue Sep 26 08:33:47 2017 : Debug: (1) modsingle[authorize]: calling eap (rlm_eap) Tue Sep 26 08:33:47 2017 : Debug: (1) eap: No EAP-Message, not doing EAP Tue Sep 26 08:33:47 2017 : Debug: (1) modsingle[authorize]: returned from eap (rlm_eap) Tue Sep 26 08:33:47 2017 : Debug: (1) [eap] = noop Tue Sep 26 08:33:47 2017 : Debug: (1) modsingle[authorize]: calling files (rlm_files) Tue Sep 26 08:33:47 2017 : Debug: (1) modsingle[authorize]: returned from files (rlm_files) Tue Sep 26 08:33:47 2017 : Debug: (1) [files] = noop Tue Sep 26 08:33:47 2017 : Debug: (1) modsingle[authorize]: calling sql (rlm_sql) Tue Sep 26 08:33:47 2017 : Debug: %{User-Name} Tue Sep 26 08:33:47 2017 : Debug: Parsed xlat tree: Tue Sep 26 08:33:47 2017 : Debug: attribute --> User-Name Tue Sep 26 08:33:47 2017 : Debug: (1) sql: EXPAND %{User-Name} Tue Sep 26 08:33:47 2017 : Debug: (1) sql: --> hans@telesec Tue Sep 26 08:33:47 2017 : Debug: (1) sql: SQL-User-Name set to 'hans@telesec' Tue Sep 26 08:33:47 2017 : Info: rlm_sql (sql): Closing connection (1): Hit idle_timeout, was idle for 733 seconds Tue Sep 26 08:33:47 2017 : Debug: rlm_sql_mysql: Socket destructor called, closing socket Hans Bornemann Abteilung Datanet Technische Universität Dortmund ITMC Otto-Hahn-Str. 12 44227 Dortmund Tel.: +49 231-755 2132 hans.bornemann@tu-dortmund.de www.itmc.tu-dortmund.de Wichtiger Hinweis: Die Information in dieser E-Mail ist vertraulich. Sie ist ausschließlich für den Adressaten bestimmt. Sollten Sie nicht der für diese E-Mail bestimmte Adressat sein, unterrichten Sie bitte den Absender und vernichten Sie diese Mail. Vielen Dank. Unbeschadet der Korrespondenz per E-Mail, sind unsere Erklärungen ausschließlich final rechtsverbindlich, wenn sie in herkömmlicher Schriftform (mit eigenhändiger Unterschrift) oder durch Übermittlung eines solchen Schriftstücks per Telefax erfolgen. Important note: The information included in this e-mail is confidential. It is solely intended for the recipient. If you are not the intended recipient of this e-mail please contact the sender and delete this message. Thank you. Without prejudice of e-mail correspondence, our statements are only legally binding when they are made in the conventional written form (with personal signature) or when such documents are sent by fax.