Hello, I'm running WPA-Enterprise with TTLS authentication and LDAP backend. Config was running fine since 1,5 year. Problem is that I cannot authenticate to my network with wpa_supplicant, although I could, and from Windows & Secure2w TTLS wrapper - I can. I use Gentoo and did some upgrades (but nothing special I guess, kernel is the same, and wpa_supplicant also) My eap.conf: eap { default_eap_type = mschapv2 timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } tls { private_key_file = ${raddbdir}/certs/radius1.uni.opole.pl.key certificate_file = ${raddbdir}/certs/radius1.uni.opole.pl.pem CA_path = ${raddbdir}/certs/ CA_file = ${raddbdir}/certs/ca.uni.opole.pl.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random fragment_size = 1024 check_cert_cn = %{User-Name} #check_crl = yes crl_dir = /etc/raddb/certs proxy_tunneled_request_as_eap = yes } peap { default_eap_type = mschapv2 } ttls { default_eap_type = md5 copy_request_to_tunnel = yes use_tunneled_reply = yes } mschapv2 { } } My wpa_supplicant.conf ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=0 eapol_version=1 fast_reauth=1 update_config=0 network={ ssid="eduroam" scan_ssid=1 proto=WPA key_mgmt=WPA-EAP pairwise=TKIP eap=TTLS identity="jsyrytczyk@uni.opole.pl" password="mycorrectpassword" ca_cert="/etc/wpa_supplicant/ca.uni.opole.pl.pem" phase2="auth=PAP" } My error: Ready to process requests. rad_recv: Access-Request packet from host 217.173.193.40:4347, id=89, length=205 User-Name = "jsyrytczyk@uni.opole.pl" Framed-MTU = 1400 Called-Station-Id = "0019.a9b5.3a01" Calling-Station-Id = "0002.7258.7f14" Cisco-AVPair = "ssid=eduroam" Service-Type = Login-User Message-Authenticator = 0x2e72d462f1fb588c9674049e6b61e580 EAP-Message = 0x0201001c016a7379727974637a796b40756e692e6f706f6c652e706c NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "461" NAS-Port = 461 NAS-IP-Address = 10.59.223.247 NAS-Identifier = "AP1242_eduroam_CI" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 rlm_realm: Looking up realm "uni.opole.pl" for User-Name = "jsyrytczyk@uni.opole.pl" rlm_realm: Found realm "uni.opole.pl" rlm_realm: Proxying request from user jsyrytczyk to realm uni.opole.pl rlm_realm: Adding Realm = "uni.opole.pl" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 0 rlm_acct_unique: WARNING: Attribute Acct-Session-Id was not found in request, unique ID MAY be inconsistent rlm_acct_unique: Hashing 'NAS-Port = 461,Client-IP-Address = 217.173.193.40,NAS-IP-Address = 10.59.223.247,,User-Name = "jsyrytczyk@uni.opole.pl"' rlm_acct_unique: Acct-Unique-Session-ID = "0e208dc42b670eee". modcall[authorize]: module "acct_unique" returns ok for request 0 radius_xlat: 'jsyrytczyk@uni.opole.pl' rlm_attr_rewrite: Added attribute Stripped-User-Name with value 'jsyrytczyk@uni.opole.pl' modcall[authorize]: module "copy.user-name" returns ok for request 0 radius_xlat: '@.*$' rlm_attr_rewrite: Changed value for attribute Stripped-User-Name from 'jsyrytczyk@uni.opole.pl' to 'jsyrytczyk' modcall[authorize]: module "strip.user-name" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for jsyrytczyk@uni.opole.pl radius_xlat: '(&(objectClass=VirtualMailAccount) (mail=jsyrytczyk@uni.opole.pl)(accountActive=TRUE)(delete=FALSE))' radius_xlat: 'o=hosting,dc=uo,dc=opole,dc=pl' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 217.173.193.3:389, authentication 0 rlm_ldap: bind as cn=dovecot,dc=uo,dc=opole,dc=pl/hereismyldapdatabasepass to 217.173.193.3:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in o=hosting,dc=uo,dc=opole,dc=pl, with filter (&(objectClass=VirtualMailAccount)(mail=jsyrytczyk@uni.opole.pl) (accountActive=TRUE)(delete=FALSE)) rlm_ldap: checking if remote access for jsyrytczyk@uni.opole.pl is allowed by dialupAccess rlm_ldap: Password header not found in password {CRYPT}hash for user jsyrytczyk@uni.opole.pl rlm_ldap: looking for check items in directory... rlm_ldap: Adding userPassword as User-Password == "{CRYPT}hash" rlm_ldap: looking for reply items in directory... rlm_ldap: user jsyrytczyk@uni.opole.pl authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 rlm_eap: EAP packet type response id 1 length 28 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 modcall[authorize]: module "files" returns notfound for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 89 to 217.173.193.40 port 4347 EAP-Message = 0x010200311a0102002c10124897b1c632a0dd9edec5d89e10c5bc6a7379727974637a796b40756e692e6f706f6c652e706c Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcdc132917ef520c9537ed9cbb1481929 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 217.173.193.40:4347, id=90, length=201 User-Name = "jsyrytczyk@uni.opole.pl" Framed-MTU = 1400 Called-Station-Id = "0019.a9b5.3a01" Calling-Station-Id = "0002.7258.7f14" Cisco-AVPair = "ssid=eduroam" Service-Type = Login-User Message-Authenticator = 0x1290a4533963f73ed925dec295cbefdf EAP-Message = 0x020200060315 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "461" NAS-Port = 461 State = 0xcdc132917ef520c9537ed9cbb1481929 NAS-IP-Address = 10.59.223.247 NAS-Identifier = "AP1242_eduroam_CI" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 rlm_realm: Looking up realm "uni.opole.pl" for User-Name = "jsyrytczyk@uni.opole.pl" rlm_realm: Found realm "uni.opole.pl" rlm_realm: Proxying request from user jsyrytczyk to realm uni.opole.pl rlm_realm: Adding Realm = "uni.opole.pl" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 1 rlm_acct_unique: WARNING: Attribute Acct-Session-Id was not found in request, unique ID MAY be inconsistent rlm_acct_unique: Hashing 'NAS-Port = 461,Client-IP-Address = 217.173.193.40,NAS-IP-Address = 10.59.223.247,,User-Name = "jsyrytczyk@uni.opole.pl"' rlm_acct_unique: Acct-Unique-Session-ID = "0e208dc42b670eee". modcall[authorize]: module "acct_unique" returns ok for request 1 radius_xlat: 'jsyrytczyk@uni.opole.pl' rlm_attr_rewrite: Added attribute Stripped-User-Name with value 'jsyrytczyk@uni.opole.pl' modcall[authorize]: module "copy.user-name" returns ok for request 1 radius_xlat: '@.*$' rlm_attr_rewrite: Changed value for attribute Stripped-User-Name from 'jsyrytczyk@uni.opole.pl' to 'jsyrytczyk' modcall[authorize]: module "strip.user-name" returns ok for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for jsyrytczyk@uni.opole.pl radius_xlat: '(&(objectClass=VirtualMailAccount) (mail=jsyrytczyk@uni.opole.pl)(accountActive=TRUE)(delete=FALSE))' radius_xlat: 'o=hosting,dc=uo,dc=opole,dc=pl' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=hosting,dc=uo,dc=opole,dc=pl, with filter (&(objectClass=VirtualMailAccount)(mail=jsyrytczyk@uni.opole.pl) (accountActive=TRUE)(delete=FALSE)) rlm_ldap: checking if remote access for jsyrytczyk@uni.opole.pl is allowed by dialupAccess rlm_ldap: Password header not found in password {CRYPT}hashed for user jsyrytczyk@uni.opole.pl rlm_ldap: looking for check items in directory... rlm_ldap: Adding userPassword as User-Password == "{CRYPT}hashed" rlm_ldap: looking for reply items in directory... rlm_ldap: user jsyrytczyk@uni.opole.pl authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 1 rlm_eap: EAP packet type response id 2 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 modcall[authorize]: module "files" returns notfound for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/ttls rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 1 modcall: leaving group authenticate (returns handled) for request 1 Sending Access-Challenge of id 90 to 217.173.193.40 port 4347 EAP-Message = 0x010300061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf7496deb8d0573d9ee6c13a2b51ba8bc Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 217.173.193.40:4347, id=91, length=201 User-Name = "jsyrytczyk@uni.opole.pl" Framed-MTU = 1400 Called-Station-Id = "0019.a9b5.3a01" Calling-Station-Id = "0002.7258.7f14" Cisco-AVPair = "ssid=eduroam" Service-Type = Login-User Message-Authenticator = 0xed18d300aabdabba014117f1b2bca527 EAP-Message = 0x020200060315 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "461" NAS-Port = 461 State = 0xf7496deb8d0573d9ee6c13a2b51ba8bc NAS-IP-Address = 10.59.223.247 NAS-Identifier = "AP1242_eduroam_CI" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 rlm_realm: Looking up realm "uni.opole.pl" for User-Name = "jsyrytczyk@uni.opole.pl" rlm_realm: Found realm "uni.opole.pl" rlm_realm: Proxying request from user jsyrytczyk to realm uni.opole.pl rlm_realm: Adding Realm = "uni.opole.pl" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 2 rlm_acct_unique: WARNING: Attribute Acct-Session-Id was not found in request, unique ID MAY be inconsistent rlm_acct_unique: Hashing 'NAS-Port = 461,Client-IP-Address = 217.173.193.40,NAS-IP-Address = 10.59.223.247,,User-Name = "jsyrytczyk@uni.opole.pl"' rlm_acct_unique: Acct-Unique-Session-ID = "0e208dc42b670eee". modcall[authorize]: module "acct_unique" returns ok for request 2 radius_xlat: 'jsyrytczyk@uni.opole.pl' rlm_attr_rewrite: Added attribute Stripped-User-Name with value 'jsyrytczyk@uni.opole.pl' modcall[authorize]: module "copy.user-name" returns ok for request 2 radius_xlat: '@.*$' rlm_attr_rewrite: Changed value for attribute Stripped-User-Name from 'jsyrytczyk@uni.opole.pl' to 'jsyrytczyk' modcall[authorize]: module "strip.user-name" returns ok for request 2 rlm_ldap: - authorize rlm_ldap: performing user authorization for jsyrytczyk@uni.opole.pl radius_xlat: '(&(objectClass=VirtualMailAccount) (mail=jsyrytczyk@uni.opole.pl)(accountActive=TRUE)(delete=FALSE))' radius_xlat: 'o=hosting,dc=uo,dc=opole,dc=pl' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=hosting,dc=uo,dc=opole,dc=pl, with filter (&(objectClass=VirtualMailAccount)(mail=jsyrytczyk@uni.opole.pl) (accountActive=TRUE)(delete=FALSE)) rlm_ldap: checking if remote access for jsyrytczyk@uni.opole.pl is allowed by dialupAccess rlm_ldap: Password header not found in password {CRYPT}hashed for user jsyrytczyk@uni.opole.pl rlm_ldap: looking for check items in directory... rlm_ldap: Adding userPassword as User-Password == "{CRYPT}hashed" rlm_ldap: looking for reply items in directory... rlm_ldap: user jsyrytczyk@uni.opole.pl authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 2 rlm_eap: EAP packet type response id 2 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 modcall[authorize]: module "files" returns notfound for request 2 modcall: leaving group authorize (returns updated) for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request not found in the list rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request rlm_eap: Failed in handler modcall[authenticate]: module "eap" returns invalid for request 2 modcall: leaving group authenticate (returns invalid) for request 2 auth: Failed to validate the user. Login incorrect: [jsyrytczyk@uni.opole.pl] (from client UniNet port 461 cli 0002.7258.7f14) Delaying request 2 for 1 seconds Finished request 2 Going to the next request Waking up in 6 seconds... Freeradius writes my password is incorrect, but of course it is correct. It also complains about bad {crypt} header, but it performs well with it when using Windows. Anyway, when I pass correct header or change it to any other in radiusd.conf it changes nothing. I substituted all passwords of course. -- Syrytczyk Janusz - Administrator serwerów Centrum Informatyczne Uniwersytetu Opolskiego Nr telefonu: +48 77 452-70-91 E-mail: jsyrytczyk@uni.opole.pl -- Syrytczyk Janusz - Administrator serwerów Centrum Informatyczne Uniwersytetu Opolskiego Nr telefonu: +48 77 452-70-91 E-mail: jsyrytczyk@uni.opole.pl