I've reviewed the debug output and it appears to point to the attr_filter.post_proxy filter. I should mention that the defaults for the attr_filter are in use and have not been changed. Here is the output when the server is processing packets: (0) Received Access-Request Id 150 from 192.168.1.5:61168 to 192.168.1.4:1812 length 381 (0) User-Name = "testuser@ringlingtest.com" (0) Service-Type = Framed-User (0) Cisco-AVPair = "service-type=Framed" (0) Framed-MTU = 1485 (0) EAP-Message = 0x02010018014b4b45494c534f4e4064657061756c2e656475 (0) Message-Authenticator = 0x168a719ee6ceaba1d478fa2f469bf647 (0) Cisco-AVPair = "audit-session-id=B5BF26D800000D54C6C4F544" (0) Cisco-AVPair = "method=dot1x" (0) Cisco-AVPair = "client-iif-id=855639101" (0) Cisco-AVPair = "vlan-id=5" (0) NAS-IP-Address = 192.168.1.5 (0) NAS-Port-Id = "capwap_9000013c" (0) NAS-Port-Type = Wireless-802.11 (0) NAS-Port = 6018 (0) Called-Station-Id = "07-4c-d9-2e-12-c0:eduroam" (0) Calling-Station-Id = "e0-32-7e-72-b4-9a" (0) Airespace-Wlan-Id = 4 (0) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (0) NAS-Identifier = "test-controller" (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) policy split_username_nai { (0) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) { (0) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE (0) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) { (0) update request { (0) EXPAND %{1} (0) --> testuser (0) &Stripped-User-Name := testuser (0) } # update request = noop (0) if ("%{3}" != '') { (0) EXPAND %{3} (0) --> ringlingtest.com (0) if ("%{3}" != '') -> TRUE (0) if ("%{3}" != '') { (0) update request { (0) EXPAND %{3} (0) --> ringlingtest.com (0) &Stripped-User-Domain = ringlingtest.com (0) } # update request = noop (0) } # if ("%{3}" != '') = noop (0) [updated] = updated (0) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated (0) ... skipping else: Preceding "if" was taken (0) } # policy split_username_nai = updated (0) if (noop || !&Stripped-User-Domain) { (0) if (noop || !&Stripped-User-Domain) -> FALSE (0) if (&Stripped-User-Domain != "ringling.edu") { (0) if (&Stripped-User-Domain != "ringling.edu") -> TRUE (0) if (&Stripped-User-Domain != "ringling.edu") { (0) update { (0) control:Load-Balance-Key := &Calling-Station-ID -> 'e0-32-7e-72-b4-9a' (0) control:Proxy-To-Realm := 'DEFAULT' (0) request:Operator-Name := "1ringling.edu" (0) } # update = noop (0) return (0) } # if (&Stripped-User-Domain != "ringling.edu") = noop (0) } # authorize = updated (0) Starting proxy to home server 163.253.30.2 port 1812 (0) # Executing section pre-proxy from file /etc/raddb/sites-enabled/default (0) pre-proxy { (0) attr_filter.pre-proxy: EXPAND %{Realm} (0) attr_filter.pre-proxy: --> DEFAULT (0) attr_filter.pre-proxy: Matched entry DEFAULT at line 50 (0) [attr_filter.pre-proxy] = updated (0) } # pre-proxy = updated (0) Proxying request to home server 163.253.30.2 port 1812 timeout 30.000000 (0) Sent Access-Request Id 59 from 0.0.0.0:42392 to 163.253.30.2:1812 length 160 (0) User-Name = "testuser" (0) EAP-Message = 0x02010018014b4b45494c534f4e4064657061756c2e656475 (0) Message-Authenticator = 0x168a719ee6ceaba1d478fa2f469bf647 (0) NAS-IP-Address = 192.168.1.4 (0) Called-Station-Id = "08-4f-f9-2e-13-c0:eduroam" (0) Calling-Station-Id = "e0-32-7e-72-b4-9a" (0) NAS-Identifier = "test-controller" (0) Operator-Name := "1ringling.edu" (0) Proxy-State = 0x313530 Waking up in 0.3 seconds. (0) Marking home server 163.253.30.2 port 1812 alive (0) Clearing existing &reply: attributes (0) Received Access-Reject Id 59 from 163.253.30.2:1812 to 199.27.242.193:42392 length 89 (0) Message-Authenticator = 0xde3171110d3a45e469ec27c03d000dad (0) EAP-Message = 0x04010004 (0) Reply-Message = "Empty Realm Forwarded by ringling.edu." (0) Proxy-State = 0x313530 (0) # Executing section post-proxy from file /etc/raddb/sites-enabled/default (0) post-proxy { (0) attr_filter.post-proxy: EXPAND %{Realm} (0) attr_filter.post-proxy: --> DEFAULT (0) attr_filter.post-proxy: Matched entry DEFAULT at line 102 (0) [attr_filter.post-proxy] = updated (0) eap: No pre-existing handler found (0) [eap] = noop (0) } # post-proxy = updated (0) Login incorrect (Home Server says so): [testuser@ringlingtest.com] (from client test-controller port 6018 cli e0-32-7e-72-b4-9a) (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> testuser@ringlingtest.com (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) [eap] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> TRUE (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) update reply { (0) &Reply-Message !* ANY (0) } # update reply = noop (0) } # if (&reply:EAP-Message && &reply:Reply-Message) = noop (0) ... skipping else: Preceding "if" was taken (0) } # policy remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Login incorrect: [testuser@ringlingtest.com] (from client amplify-controller port 6018 cli e0-32-7e-72-b4-9a) (0) Sent Access-Reject Id 150 from 199.27.242.193:1812 to 192.168.1.5:61168 length 0 (0) Message-Authenticator = 0xde3171110d3a45e469ec27c03d000dad (0) EAP-Message = 0x04010004 (0) Finished request Waking up in 4.9 seconds. Kyle Keilson Manager, macOS Technology and Help Desk Institutional Technology Ringling College of Art and Design 2700 N Tamiami Trail Sarasota, FL 34234 Office: 941.359.7633 Web: www.ringling.edu <http://www.ringling.edu/> On 4/29/20, 12:26 PM, "Freeradius-Users on behalf of Alan DeKok" <freeradius-users-bounces+kkeilson=ringling.edu@lists.freeradius.org on behalf of aland@deployingradius.com> wrote: On Apr 29, 2020, at 12:21 PM, Kyle Keilson <kkeilson@ringling.edu> wrote: > > I’ve installed CentOS 8 with FreeRadius 3.0.17 and encountering an issue with eap proxied requests. When a client is proxied to another server, the EAP response is: > > eap: The RADIUS client has mangled the State attribute, OR you are forcing EAP in the wrong situation > > I’ve also noticed that the username from the EAP request is filtering out the suffix before proxying to another server. Any thoughts on why this is occurring? Because you configured it to do this. That isn't the default configuration. In order to see *why* this is happening, read the debug output. > Below is the output from radiusd -X command: That isn't helpful. See the docs: https://nam01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwiki.freeradius.org%2Flist-help&data=02%7C01%7Ckkeilson%40ringling.edu%7Cf78bbacff341470c5e1208d7ec5a0c55%7C4a0ab0eb147e46e6a02569574c2f3fed%7C0%7C0%7C637237743824020748&sdata=PAgvoTT5ZkWpKoN4PbZ1ob1S%2BJDmKjBaRjmCXb7nZi0%3D&reserved=0 We need to see the debug when the server is processing packets. Nothing else will help. Alan DeKok. - List info/subscribe/unsubscribe? See https://nam01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=02%7C01%7Ckkeilson%40ringling.edu%7Cf78bbacff341470c5e1208d7ec5a0c55%7C4a0ab0eb147e46e6a02569574c2f3fed%7C0%7C0%7C637237743824020748&sdata=ssp0Rbefu3GVNdkm5EehPQPge1McdA0HZqAH%2BKjV8qQ%3D&reserved=0