Hello, i have a problem with my freeradius 2.1.10. I try to use PEAP and MSCHAPv2 to authenticate my wireless client against radius and ldap. The client is a Windows XP Proffesional and configuered to use "protected EAP(PEAP)" for the wireless network. On the radius servers console the following debug output is shown. It seems that the radius wants to use tls instead of peap, but the client don't have a client-certificate because EAP-MSCHAP v2 should be used. The amazing thing is, this radius server is a vm-clone from an other radius, but the other radius works fine. Debug Output: rad_recv: Access-Request packet from host ... port 32769, id=219, length=159 User-Name = "xy" Calling-Station-Id = "..." Called-Station-Id = "..." NAS-Port = 1 NAS-IP-Address = ... NAS-Identifier = "T:WLC2125" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0202000b01737461646572 Message-Authenticator = 0xe5b0ffbed84243bf27ac1ac9c9fcd0b5 server eduroam { # Executing section authorize from file /etc/freeradius/sites-enabled/eduroam +- entering group authorize {...} [suffix] No '@' in User-Name = "xy", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok ++[mschap] returns noop [eap] EAP packet type response id 2 length 11 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/eduroam +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled } # server eduroam Sending Access-Challenge of id 219 to ... port 32769 EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3abc7e1c3abf6764392496688aff7b3f Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host ... port 32769, id=219, length=159 Sending duplicate reply to client WLC-TUT port 32769 - ID: 219 Sending Access-Challenge of id 219 to ... port 32769 Waking up in 2.0 seconds. Cleaning up request 0 ID 219 with timestamp +3 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0x3abc7e1c3abf6764 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Ready to process requests. eap.conf: eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } tls { certdir = /etc/hostcertkey cadir = /etc/cacert dh_file = ${certdir}/dh private_key_file = ${certdir}/roaming.key certificate_file = ${certdir}/roaming.pem CA_file = ${cadir}/chain.txt dh_file = ${certdir}/dh random_file = /dev/urandom fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" } ttls { default_eap_type = mschapv2 copy_request_to_tunnel = yes #use_tunneled_reply = yes virtual_server = "eduroam-inner-tunnel" } peap { default_eap_type = mschapv2 copy_request_to_tunnel = yes #use_tunneled_reply = yes #proxy_tunneled_request_as_eap = yes virtual_server = "eduroam-inner-tunnel" } mschapv2 { } } -- Mit freundlichen Grüßen, Jürgen Stader Rechenzentrum Hochschule Furtwangen www.hs-furtwangen.de