first of all, how I wished the eduroam howto (http://wiki.freeradius.org/guide/eduroam) was online when I first had to configure freeradius. Lucky those who can start from it: it used to be harder. Still, I have a problem. Following the howto with the files setup, I can handle the happy path result (user with correct password). Everything works. If I modify the ~/eapol_test/peap-mschapv2.conf file with: password="iamthewrongpassword" the request fails after a while, like the server would give the client a second try: eapol logs: [...] EAP-MSCHAPV2: password changing protocol version 3 EAP-MSCHAPV2: failure message: 'Authentication rejected' (retry allowed, error 691) EAPOL: EAP parameter needed [...] and it takes 30 secs to issue the "FAILURE" line. ./sbin/radiusd -X [...] (14) eap_mschapv2: authenticate { (14) mschap: Found Cleartext-Password, hashing to create NT-Password (14) mschap: Found Cleartext-Password, hashing to create LM-Password (14) mschap: Creating challenge hash with username: a_user@example.org (14) mschap: Client is using MS-CHAPv2 (14) mschap: ERROR: MS-CHAP2-Response is incorrect (14) [mschap] = reject (14) } # authenticate = reject (14) MSCHAP-Error: ?E=691 R=1 C=3277c9a2969ff694b1e423f83f99ecd4 V=3 M=Authentication rejected (14) Found new challenge from MS-CHAP-Error: err=691 retry=1 challenge=3277c9a2969ff694b1e423f83f99ecd4 (14) ERROR: MSCHAP Failure (14) inner-eap: Sending EAP Request (code 1) ID 9 length 83 (14) inner-eap: EAP session adding &reply:State = 0x30262b3d312f3188 (14) [inner-eap] = handled (14) } # authenticate = handled (14) } # server eduroam-inner (14) Virtual server sending reply (14) EAP-Message = 0x010900531a0408004e453d36393120523d3120433d333237376339613239363966663639346231653432336638336639396563643420563d33204d3d41757468656e7469636174696f6e2072656a6563746564 (14) Message-Authenticator = 0x00000000000000000000000000000000 (14) State = 0x30262b3d312f318871613eb63a4734ad (14) eap_peap: Got tunneled reply code 11 (14) eap_peap: EAP-Message = 0x010900531a0408004e453d36393120523d3120433d333237376339613239363966663639346231653432336638336639396563643420563d33204d3d41757468656e7469636174696f6e2072656a6563746564 (14) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (14) eap_peap: State = 0x30262b3d312f318871613eb63a4734ad (14) eap_peap: Got tunneled reply RADIUS code 11 (14) eap_peap: EAP-Message = 0x010900531a0408004e453d36393120523d3120433d333237376339613239363966663639346231653432336638336639396563643420563d33204d3d41757468656e7469636174696f6e2072656a6563746564 (14) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (14) eap_peap: State = 0x30262b3d312f318871613eb63a4734ad (14) eap_peap: Got tunneled Access-Challenge (14) eap: Sending EAP Request (code 1) ID 9 length 114 (14) eap: EAP session adding &reply:State = 0x8dc44f9585cd5612 (14) [eap] = handled (14) } # authenticate = handled (14) Using Post-Auth-Type Challenge (14) Post-Auth-Type sub-section not found. Ignoring. (14) # Executing group from file /opt/freeradius/etc/raddb/sites-enabled/default (14) session-state: Saving cached attributes (14) Stripped-User-Name := "a_user" (14) Sent Access-Challenge Id 8 from 127.0.0.1:1812 to 127.0.0.1:46152 length 0 (14) EAP-Message = 0x01090072190017030300674cef3f0c59b8f592198c61cd5c9a8810373267c99f6db7b6e410e43143fec0b5f4fb860d8b544e0b844edd43b9b26b119dfa7f1f7d3053bfab5b22f77511dad11e5369876d20211362ed1e949b67950fa465d6aec569ae4beae10d613101854ea2cbc3276df6df (14) Message-Authenticator = 0x00000000000000000000000000000000 (14) State = 0x8dc44f9585cd56126b4642e6eb93d427 (14) Finished request [...] Why am I missing the: linelog_send_reject from my logs? If I choose pap (~/eapol_test/eap-ttls.conf), I can see the failure log line (when password is wrong). And the client takes only one sec to tell me there is a failure. What did I do wrong? Freeradius is 3.0.17 on Debian GNU/Linux 9 (stretch), thank you, Francesco