Hi Alan, Is this what you want to see? Debug: <running>: Received Access-Request Id 11 from 138.253.100.106:43157 to 138.253.100.213:1812 length 211 Debug: <running>: User-Name = "@liv.ac.uk" Debug: <running>: NAS-IP-Address = 127.0.0.1 Debug: <running>: Calling-Station-Id = "02-00-00-00-00-01" Debug: <running>: Framed-MTU = 1400 Debug: <running>: NAS-Port-Type = Wireless-802.11 Debug: <running>: Connect-Info = "CONNECT 11Mbps 802.11b" Debug: <running>: EAP-Message = 0x020b005019001703010020f695d007ae23cdf71cae1d9399914a8fa32ab903ae990463ed0d593b6e9074e317030100209c394163311b9e013ad36d6830e3429c4c1ce402d31eb1256480213810d4ba11 Debug: <running>: State = 0xcc743382c67f2a3839968af4b7f3717b Debug: <running>: Message-Authenticator = 0x7502c284b61413840659458cb9481582 Debug: <running>: session-state: No cached attributes Debug: <running>: # Executing section authorize from file /usr/local/freeradius-3.0.10/etc/raddb/sites-enabled/eduroam Debug: <running>: authorize { Debug: <running>: if (User-Name =~ /@$/){ Debug: <running>: if (User-Name =~ /@$/) -> FALSE Debug: <running>: if (User-Name =~ /@.+?@/){ Debug: <running>: if (User-Name =~ /@.+?@/) -> FALSE Debug: <running>: if (User-Name =~ /@.+?[^[:alnum:]\\.-]/){ Debug: <running>: if (User-Name =~ /@.+?[^[:alnum:]\\.-]/) -> FALSE Debug: <running>: if (User-Name =~ /@[\\.-]/){ Debug: <running>: if (User-Name =~ /@[\\.-]/) -> FALSE Debug: <running>: if (User-Name =~ /@.+?[\\.-]$/){ Debug: <running>: if (User-Name =~ /@.+?[\\.-]$/) -> FALSE Debug: <running>: if (User-Name =~ /@[^\\.]+$/){ Debug: <running>: if (User-Name =~ /@[^\\.]+$/) -> FALSE Debug: <running>: if (User-Name =~ /@.+?\\.\\./){ Debug: <running>: if (User-Name =~ /@.+?\\.\\./) -> FALSE Debug: <running>: if (User-Name =~ /@myabc\\.com$/i){ Debug: <running>: if (User-Name =~ /@myabc\\.com$/i) -> FALSE Debug: <running>: if (User-Name =~ /@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i){ Debug: <running>: if (User-Name =~ /@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i) -> FALSE Debug: <running>: if (User-Name =~ /@gmail\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i){ Debug: <running>: if (User-Name =~ /@gmail\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i) -> FALSE Debug: <running>: if (User-Name =~ /@yahoo\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i){ Debug: <running>: if (User-Name =~ /@yahoo\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i) -> FALSE Debug: <running>: if (User-Name =~ /@hotmail\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i){ Debug: <running>: if (User-Name =~ /@hotmail\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i) -> FALSE Debug: <running>: if (User-Name =~ /@\\.?ac\\.uk$/i){ Debug: <running>: if (User-Name =~ /@\\.?ac\\.uk$/i) -> FALSE Debug: <running>: if (User-Name =~ /@.+?\\.ax\\.uk$/i){ Debug: <running>: if (User-Name =~ /@.+?\\.ax\\.uk$/i) -> FALSE Debug: <running>: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 9776 Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 9776 Debug: [preprocess] = ok Debug: policy operator-name.authorize { Debug: if ("%{client:Operator-Name}") { Debug: EXPAND TMPL XLAT STRUCT Debug: EXPAND %{client:Operator-Name} Debug: --> 1liv.ac.uk Debug: if ("%{client:Operator-Name}") -> TRUE Debug: if ("%{client:Operator-Name}") { Debug: update request { Debug: EXPAND %{client:Operator-Name} Debug: --> 1liv.ac.uk Debug: &Operator-Name = 1liv.ac.uk Debug: } # update request = noop Debug: } # if ("%{client:Operator-Name}") = noop Debug: } # policy operator-name.authorize = noop Debug: policy cui.authorize { Debug: if ("%{client:add_cui}" == 'yes') { Debug: EXPAND TMPL XLAT STRUCT Debug: EXPAND %{client:add_cui} Debug: --> yes Debug: if ("%{client:add_cui}" == 'yes') -> TRUE Debug: if ("%{client:add_cui}" == 'yes') { Debug: update request { Debug: &Chargeable-User-Identity := 0x00 Debug: } # update request = noop Debug: } # if ("%{client:add_cui}" == 'yes') = noop Debug: } # policy cui.authorize = noop Debug: modsingle[authorize]: calling auth_log (rlm_detail) for request 9776 Debug: auth_log: EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d Debug: auth_log: --> /var/log/radius/radacct/138.253.100.106/auth-detail-20151101 Debug: auth_log: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/138.253.100.106/auth-detail-20151101 Debug: auth_log: EXPAND %t Debug: auth_log: --> Sun Nov 1 11:33:39 2015 Debug: modsingle[authorize]: returned from auth_log (rlm_detail) for request 9776 Debug: [auth_log] = ok Debug: modsingle[authorize]: calling chap (rlm_chap) for request 9776 Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 9776 Debug: [chap] = noop Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 9776 Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 9776 Debug: [mschap] = noop Debug: modsingle[authorize]: calling digest (rlm_digest) for request 9776 Debug: modsingle[authorize]: returned from digest (rlm_digest) for request 9776 Debug: [digest] = noop Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 9776 Debug: suffix: Checking for suffix after "@" Debug: suffix: Looking up realm "liv.ac.uk" for User-Name = "@liv.ac.uk" Debug: suffix: Found realm "liv.ac.uk" Debug: suffix: Adding Stripped-User-Name = "" Debug: suffix: Adding Realm = "liv.ac.uk" Debug: suffix: Authentication realm is LOCAL Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 9776 Debug: [suffix] = ok Debug: modsingle[authorize]: calling eap (rlm_eap) for request 9776 Debug: eap: Peer sent EAP Response (code 2) ID 11 length 80 Debug: eap: Continuing tunnel setup Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 9776 Debug: [eap] = ok Debug: } # authorize = ok Debug: Found Auth-Type = EAP Debug: # Executing group from file /usr/local/freeradius-3.0.10/etc/raddb/sites-enabled/eduroam Debug: authenticate { Debug: modsingle[authenticate]: calling eap (rlm_eap) for request 9776 Debug: eap: Expiring EAP session with state 0x1c8798b11c8582ab Debug: eap: Finished EAP session with state 0xcc743382c67f2a38 Debug: eap: Previous EAP request found for state 0xcc743382c67f2a38, released from the list Debug: eap: Peer sent packet with method EAP PEAP (25) Debug: eap: Calling submodule eap_peap to process data Debug: eap_peap: Continuing EAP-TLS Debug: eap_peap: Peer sent flags --- Debug: eap_peap: [eaptls verify] = ok Debug: eap_peap: Done initial handshake Debug: eap_peap: [eaptls process] = ok Debug: eap_peap: Session established. Decoding tunneled attributes Debug: eap_peap: PEAP state send tlv failure Debug: eap_peap: Received EAP-TLV response ERROR: eap: Failed continuing EAP PEAP (25) session. EAP sub-module failed Debug: eap: Sending EAP Failure (code 4) ID 11 length 4 Debug: eap: Failed in EAP select Debug: modsingle[authenticate]: returned from eap (rlm_eap) for request 9776 Debug: [eap] = invalid Debug: } # authenticate = invalid Debug: Failed to authenticate the user Debug: Using Post-Auth-Type Reject Debug: # Executing group from file /usr/local/freeradius-3.0.10/etc/raddb/sites-enabled/eduroam Debug: Post-Auth-Type REJECT { Debug: modsingle[post-auth]: calling attr_filter.access_reject (rlm_attr_filter) for request 9776 Debug: attr_filter.access_reject: EXPAND %{User-Name} Debug: attr_filter.access_reject: --> @liv.ac.uk Debug: attr_filter.access_reject: Matched entry DEFAULT at line 11 Debug: attr_filter.access_reject: EAP-Message = 0x040b0004 allowed by EAP-Message =* 0x Debug: attr_filter.access_reject: Attribute "EAP-Message" allowed by 1 rules, disallowed by 0 rules Debug: attr_filter.access_reject: Message-Authenticator = 0x00000000000000000000000000000000 allowed by Message-Authenticator =* 0x Debug: attr_filter.access_reject: Attribute "Message-Authenticator" allowed by 1 rules, disallowed by 0 rules Debug: modsingle[post-auth]: returned from attr_filter.access_reject (rlm_attr_filter) for request 9776 Debug: [attr_filter.access_reject] = updated Debug: modsingle[post-auth]: calling eap (rlm_eap) for request 9776 Debug: eap: Reply already contained an EAP-Message, not inserting EAP-Failure Debug: modsingle[post-auth]: returned from eap (rlm_eap) for request 9776 Debug: [eap] = noop Debug: policy remove_reply_message_if_eap { Debug: if (&reply:EAP-Message && &reply:Reply-Message) { Debug: if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE Debug: else { Debug: modsingle[post-auth]: calling noop (rlm_always) for request 9776 Debug: modsingle[post-auth]: returned from noop (rlm_always) for request 9776 Debug: [noop] = noop Debug: } # else = noop Debug: } # policy remove_reply_message_if_eap = noop Debug: } # Post-Auth-Type REJECT = updated Debug: Delaying response for 1.000000 seconds Tim Pretlove Computing Services University of Liverpool Brownlow Hill Liverpool, L69 3GG Email: pretlove@liverpool.ac.uk Phone: 0151-794-4479