Hi Arran. Thanks for your help.

 
You should only see the above entry with -C...

But it happens with "radiusd -X".
 
Modules which utilise a finite pool of connections to another server should not
be loaded in config check mode, as instantiation may erroneously fail due to
connection limits.

Confirm you saw that in the output of '-X' and not '-C'.

Confirmed.
 

> (0)   [files] = ok
> (0) ERROR: ldap_yyyyy : All ldap connections are in use
> (0)   [ldap_yyyyy] = fail
> (0)  } #  authorize = fail

No, I cannot see any reason for that, and it works fine for me and others.

Please provide full debug, and confirm you experienced that issue on the first
request.

Full debug:
 
radiusd: FreeRADIUS Version 3.1.0, for host x86_64-unknown-linux-gnu, built on Jan  9 2014 at 11:37:24
Copyright (C) 1999-2014 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/local/etc/raddb/dictionary
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/mods-enabled/
including configuration file /usr/local/etc/raddb/mods-enabled/ldap_deusto
including configuration file /usr/local/etc/raddb/mods-enabled/realm
including configuration file /usr/local/etc/raddb/mods-enabled/ldap_opendeusto
including configuration file /usr/local/etc/raddb/mods-enabled/utf8
including configuration file /usr/local/etc/raddb/mods-enabled/logintime
including configuration file /usr/local/etc/raddb/mods-enabled/digest
including configuration file /usr/local/etc/raddb/mods-enabled/linelog
including configuration file /usr/local/etc/raddb/mods-enabled/passwd
including configuration file /usr/local/etc/raddb/mods-enabled/ntlm_auth
including configuration file /usr/local/etc/raddb/mods-enabled/dynamic_clients
including configuration file /usr/local/etc/raddb/mods-enabled/cache_eap
including configuration file /usr/local/etc/raddb/mods-enabled/exec
including configuration file /usr/local/etc/raddb/mods-enabled/expr
including configuration file /usr/local/etc/raddb/mods-enabled/dhcp
including configuration file /usr/local/etc/raddb/mods-enabled/chap
including configuration file /usr/local/etc/raddb/mods-enabled/sradutmp
including configuration file /usr/local/etc/raddb/mods-enabled/detail.log
including configuration file /usr/local/etc/raddb/mods-enabled/detail
including configuration file /usr/local/etc/raddb/mods-enabled/preprocess
including configuration file /usr/local/etc/raddb/mods-enabled/echo
including configuration file /usr/local/etc/raddb/mods-enabled/mschap
including configuration file /usr/local/etc/raddb/mods-enabled/radutmp
including configuration file /usr/local/etc/raddb/mods-enabled/unix
including configuration file /usr/local/etc/raddb/mods-enabled/expiration
including configuration file /usr/local/etc/raddb/mods-enabled/pap
including configuration file /usr/local/etc/raddb/mods-enabled/replicate
including configuration file /usr/local/etc/raddb/mods-enabled/attr_filter
including configuration file /usr/local/etc/raddb/mods-enabled/eap
including configuration file /usr/local/etc/raddb/mods-enabled/files
including configuration file /usr/local/etc/raddb/mods-enabled/soh
including configuration file /usr/local/etc/raddb/mods-enabled/always
including files in directory /usr/local/etc/raddb/policy.d/
including configuration file /usr/local/etc/raddb/policy.d/control
including configuration file /usr/local/etc/raddb/policy.d/accounting
including configuration file /usr/local/etc/raddb/policy.d/operator-name
including configuration file /usr/local/etc/raddb/policy.d/canonicalization
including configuration file /usr/local/etc/raddb/policy.d/cui
including configuration file /usr/local/etc/raddb/policy.d/filter
including configuration file /usr/local/etc/raddb/policy.d/dhcp
including configuration file /usr/local/etc/raddb/policy.d/eap
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
main {
 security {
     allow_core_dumps = no
 }
}
main {
    name = "radiusd"
    prefix = "/usr/local"
    localstatedir = "/usr/local/var"
    sbindir = "/usr/local/sbin"
    logdir = "/usr/local/var/log/radius"
    run_dir = "/usr/local/var/run/radiusd"
    libdir = "/usr/local/lib"
    radacctdir = "/usr/local/var/log/radius/radacct"
    hostname_lookups = no
    max_request_time = 30
    cleanup_delay = 5
    max_requests = 1024
    pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
    checkrad = "/usr/local/sbin/checkrad"
    debug_level = 0
    proxy_requests = yes
 log {
     stripped_names = no
     auth = no
     auth_badpass = no
     auth_goodpass = no
     colourise = yes
 }
 security {
     max_attributes = 200
     reject_delay = 1
     status_server = yes
 }
}
radiusd: #### Loading Realms and Home Servers ####
 proxy server {
     retry_delay = 5
     retry_count = 3
     default_fallback = no
     dead_time = 120
     wake_all_if_all_dead = no
 }
 home_server localhost {
     ipaddr = 127.0.0.1
     port = 1812
     type = "auth"
     secret = "testing123"
     response_window = 20
     max_outstanding = 65536
     zombie_period = 40
     status_check = "status-server"
     ping_interval = 30
     check_interval = 30
     num_answers_to_alive = 3
     revive_interval = 120
     status_check_timeout = 4
  coa {
      irt = 2
      mrt = 16
      mrc = 5
      mrd = 30
  }
  limit {
      max_connections = 16
      max_requests = 0
      lifetime = 0
      idle_timeout = 0
  }
 }
 home_server <edited> {
     ipaddr = <edited>
     port = 1812
     type = "auth"
     secret = "<edited>"
     response_window = 20
     max_outstanding = 65536
     zombie_period = 40
     status_check = "status-server"
     ping_interval = 30
     check_interval = 30
     num_answers_to_alive = 3
     revive_interval = 120
     status_check_timeout = 4
  coa {
      irt = 2
      mrt = 16
      mrc = 5
      mrd = 30
  }
  limit {
      max_connections = 16
      max_requests = 0
      lifetime = 0
      idle_timeout = 0
  }
 }
 home_server <edited> {
     ipaddr = 130.206.1.107
     port = 1812
     type = "auth"
     secret = "<edited>"
     response_window = 20
     max_outstanding = 65536
     zombie_period = 40
     status_check = "status-server"
     ping_interval = 30
     check_interval = 30
     num_answers_to_alive = 3
     revive_interval = 120
     status_check_timeout = 4
  coa {
      irt = 2
      mrt = 16
      mrc = 5
      mrd = 30
  }
  limit {
      max_connections = 16
      max_requests = 0
      lifetime = 0
      idle_timeout = 0
  }
 }
 home_server_pool my_auth_failover {
    type = fail-over
    home_server = localhost
 }
 realm example.com {
    auth_pool = my_auth_failover
 }
 realm deusto.es {
    nostrip
    authhost = LOCAL
 }
 realm opendeusto.es {
    nostrip
    authhost = LOCAL
 }
 realm LOCAL {
 }
 realm NULL {
 }
 home_server_pool eduroam_pool {
    type = client-balance
    home_server = <edited>
    home_server = <edited>
 }
 realm DEFAULT {
    auth_pool = eduroam_pool
    nostrip
 }
radiusd: #### Loading Clients ####
 client localhost {
     ipaddr = 127.0.0.1
     require_message_authenticator = no
     secret = "testing123"
     nas_type = "other"
     proto = "*"
  limit {
      max_connections = 16
      lifetime = 0
      idle_timeout = 30
  }
 }
 client 192.168.250.250 {
     require_message_authenticator = no
     secret = "<edited>"
     shortname = "eduroam"
  limit {
      max_connections = 16
      lifetime = 0
      idle_timeout = 30
  }
 }
 client 192.168.250.248 {
     require_message_authenticator = no
     secret = "<edited>"
     shortname = "eduroam"
  limit {
      max_connections = 16
      lifetime = 0
      idle_timeout = 30
  }
 }
 client 192.168.250.246 {
     require_message_authenticator = no
     secret = "<edited>"
     shortname = "eduroam"
  limit {
      max_connections = 16
      lifetime = 0
      idle_timeout = 30
  }
 }
 client <edited> {
     require_message_authenticator = no
     secret = "<edited>"
     shortname = "eduroam"
  limit {
      max_connections = 16
      lifetime = 0
      idle_timeout = 30
  }
 }
 client <edited> {
     require_message_authenticator = no
     secret = "<edited>"
     shortname = "eduroam"
  limit {
      max_connections = 16
      lifetime = 0
      idle_timeout = 30
  }
 }
 client <edited> {
     require_message_authenticator = no
     secret = "<edited>"
     shortname = "eduroam"
  limit {
      max_connections = 16
      lifetime = 0
      idle_timeout = 30
  }
 }
 client 192.168.0.1 {
     require_message_authenticator = no
     secret = "<edited>"
     shortname = "eduroam"
  limit {
      max_connections = 16
      lifetime = 0
      idle_timeout = 30
  }
 }
 client 192.168.0.250 {
     require_message_authenticator = no
     secret = "<edited>"
     shortname = "eduroam"
  limit {
      max_connections = 16
      lifetime = 0
      idle_timeout = 30
  }
 }
 client 192.168.252.2 {
     require_message_authenticator = no
     secret = "<edited>"
     shortname = "vpn"
  limit {
      max_connections = 16
      lifetime = 0
      idle_timeout = 30
  }
 }
 client 172.16.250.11 {
     require_message_authenticator = no
     secret = "<edited>"
     shortname = "urano"
  limit {
      max_connections = 16
      lifetime = 0
      idle_timeout = 30
  }
 }
 client <edited> {
     require_message_authenticator = no
     secret = "<edited>"
     shortname = "eduroam"
  limit {
      max_connections = 16
      lifetime = 0
      idle_timeout = 30
  }
 }
 client <edited> {
     require_message_authenticator = no
     secret = "<edited>"
     shortname = "eduroam"
  limit {
      max_connections = 16
      lifetime = 0
      idle_timeout = 30
  }
 }
 client <edited> {
     require_message_authenticator = no
     secret = "<edited>"
     shortname = "eduroam"
  limit {
      max_connections = 16
      lifetime = 0
      idle_timeout = 30
  }
 }
radiusd: #### Instantiating modules ####
 instantiate {
 }
 modules {
  # Loaded module rlm_ldap
  # Skipping instantiation of ldap_deusto
  ldap ldap_deusto {
      server = "<edited>"
      port = 636
      password = "<edited>"
      identity = "radius@deusto.es"
   user {
       filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
       scope = "sub"
       base_dn = "dc=deusto,dc=es"
       access_positive = yes
   }
   group {
       filter = "(objectClass=posixGroup)"
       scope = "sub"
       base_dn = "dc=deusto,dc=es"
       name_attribute = "cn"
       membership_attribute = "memberOf"
       cacheable_name = no
       cacheable_dn = no
   }
   client {
       filter = "(objectClass=frClient)"
       scope = "sub"
       base_dn = "dc=deusto,dc=es"
    attribute {
        identifier = "radiusClientIdentifier"
        shortname = "cn"
        secret = "radiusClientSecret"
    }
   }
   profile {
       filter = "(&)"
   }
   options {
       ldap_debug = 40
       chase_referrals = no
       rebind = yes
       net_timeout = 2
       res_timeout = 20
       srv_timelimit = 20
       idle = 60
       probes = 3
       interval = 3
   }
   tls {
       ca_file = "/usr/local/etc/raddb/certs/<edited>.crt"
       start_tls = no
       require_cert = "demand"
   }
  }
  # Loaded module rlm_realm
  # Instantiating module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm
  realm IPASS {
      format = "prefix"
      delimiter = "/"
      ignore_default = no
      ignore_null = no
  }
  # Instantiating module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm
  realm suffix {
      format = "suffix"
      delimiter = "@"
      ignore_default = no
      ignore_null = no
  }
  # Instantiating module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm
  realm realmpercent {
      format = "suffix"
      delimiter = "%"
      ignore_default = no
      ignore_null = no
  }
  # Instantiating module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm
  realm ntdomain {
      format = "prefix"
      delimiter = "\"
      ignore_default = no
      ignore_null = no
  }
  # Skipping instantiation of ldap_opendeusto
  ldap ldap_opendeusto {
      server = "<edited>"
      port = 636
      password = "<edited>"
      identity = "radius@opendeusto.es"
   user {
       filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
       scope = "sub"
       base_dn = "dc=opendeusto,dc=es"
       access_positive = yes
   }
   group {
       filter = "(objectClass=posixGroup)"
       scope = "sub"
       base_dn = "dc=opendeusto,dc=es"
       name_attribute = "cn"
       membership_attribute = "memberOf"
       cacheable_name = no
       cacheable_dn = no
   }
   client {
       filter = "(objectClass=frClient)"
       scope = "sub"
       base_dn = "dc=opendeusto,dc=es"
    attribute {
        identifier = "radiusClientIdentifier"
        shortname = "cn"
        secret = "radiusClientSecret"
    }
   }
   profile {
       filter = "(&)"
   }
   options {
       ldap_debug = 40
       chase_referrals = no
       rebind = yes
       net_timeout = 2
       res_timeout = 20
       srv_timelimit = 20
       idle = 60
       probes = 3
       interval = 3
   }
   tls {
       ca_file = "/usr/local/etc/raddb/certs/<edited>.crt"
       start_tls = no
       require_cert = "demand"
   }
  }
  # Loaded module rlm_utf8
  # Instantiating module "utf8" from file /usr/local/etc/raddb/mods-enabled/utf8
  # Loaded module rlm_logintime
  # Instantiating module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime
  logintime {
      minimum_timeout = 60
  }
  # Loaded module rlm_digest
  # Instantiating module "digest" from file /usr/local/etc/raddb/mods-enabled/digest
  # Loaded module rlm_linelog
  # Instantiating module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog
  linelog {
      filename = "/usr/local/var/log/radius/linelog"
      permissions = 384
      format = "This is a log message for %{User-Name}"
      reference = "%{%{Packet-Type}:-format}"
  }
  # Loaded module rlm_passwd
  # Instantiating module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd
  passwd etc_passwd {
      filename = "/etc/passwd"
      format = "*User-Name:Crypt-Password:"
      delimiter = ":"
      ignore_nislike = no
      ignore_empty = yes
      allow_multiple_keys = no
      hash_size = 100
  }
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
  # Loaded module rlm_exec
  # Instantiating module "ntlm_auth" from file /usr/local/etc/raddb/mods-enabled/ntlm_auth
  exec ntlm_auth {
      wait = yes
      program = "/usr/bin/ntlm_auth --request-nt-key --domain=%{Realm} --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --password=%{User-Password}"
      shell_escape = yes
  }
  # Loaded module rlm_dynamic_clients
  # Instantiating module "dynamic_clients" from file /usr/local/etc/raddb/mods-enabled/dynamic_clients
  # Loaded module rlm_cache
  # Skipping instantiation of cache_eap
  cache cache_eap {
      key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
      ttl = 15
      max_entries = 16384
      epoch = 0
      add_stats = no
  }
  # Instantiating module "exec" from file /usr/local/etc/raddb/mods-enabled/exec
  exec {
      wait = no
      input_pairs = "request"
      shell_escape = yes
      timeout = 10
  }
  # Loaded module rlm_expr
  # Instantiating module "expr" from file /usr/local/etc/raddb/mods-enabled/expr
  expr {
      safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
  }
  # Loaded module rlm_dhcp
  # Skipping instantiation of dhcp
  # Loaded module rlm_chap
  # Instantiating module "chap" from file /usr/local/etc/raddb/mods-enabled/chap
  # Loaded module rlm_radutmp
  # Instantiating module "sradutmp" from file /usr/local/etc/raddb/mods-enabled/sradutmp
  radutmp sradutmp {
      filename = "/usr/local/var/log/radius/sradutmp"
      username = "%{User-Name}"
      case_sensitive = yes
      check_with_nas = yes
      permissions = 420
      caller_id = no
  }
  # Loaded module rlm_detail
  # Instantiating module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
  detail auth_log {
      filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
      header = "%t"
      permissions = 384
      dir_permissions = 493
      locking = no
      log_packet_header = no
  }
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
  # Instantiating module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
  detail reply_log {
      filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
      header = "%t"
      permissions = 384
      dir_permissions = 493
      locking = no
      log_packet_header = no
  }
  # Instantiating module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
  detail pre_proxy_log {
      filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
      header = "%t"
      permissions = 384
      dir_permissions = 493
      locking = no
      log_packet_header = no
  }
  # Instantiating module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
  detail post_proxy_log {
      filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
      header = "%t"
      permissions = 384
      dir_permissions = 493
      locking = no
      log_packet_header = no
  }
  # Instantiating module "detail" from file /usr/local/etc/raddb/mods-enabled/detail
  detail {
      filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
      header = "%t"
      permissions = 384
      dir_permissions = 493
      locking = no
      log_packet_header = no
  }
  # Loaded module rlm_preprocess
  # Instantiating module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess
  preprocess {
      huntgroups = "/usr/local/etc/raddb/mods-config/preprocess/huntgroups"
      hints = "/usr/local/etc/raddb/mods-config/preprocess/hints"
      with_ascend_hack = no
      ascend_channels_per_line = 23
      with_ntdomain_hack = no
      with_specialix_jetstream_hack = no
      with_cisco_vsa_hack = no
      with_alvarion_vsa_hack = no
  }
reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/huntgroups
reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/hints
  # Instantiating module "echo" from file /usr/local/etc/raddb/mods-enabled/echo
  exec echo {
      wait = yes
      program = "/bin/echo %{User-Name}"
      input_pairs = "request"
      output_pairs = "reply"
      shell_escape = yes
  }
  # Loaded module rlm_mschap
  # Skipping instantiation of mschap
  mschap {
      use_mppe = yes
      require_encryption = yes
      require_strong = yes
      with_ntdomain_hack = yes
      ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{Realm} --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
   passchange {
   }
      allow_retry = yes
  }
  # Instantiating module "radutmp" from file /usr/local/etc/raddb/mods-enabled/radutmp
  radutmp {
      filename = "/usr/local/var/log/radius/radutmp"
      username = "%{User-Name}"
      case_sensitive = yes
      check_with_nas = yes
      permissions = 384
      caller_id = yes
  }
  # Loaded module rlm_unix
  # Instantiating module "unix" from file /usr/local/etc/raddb/mods-enabled/unix
  unix {
      radwtmp = "/usr/local/var/log/radius/radwtmp"
  }
  # Loaded module rlm_expiration
  # Skipping instantiation of expiration
  # Loaded module rlm_pap
  # Instantiating module "pap" from file /usr/local/etc/raddb/mods-enabled/pap
  pap {
      auto_header = no
      normalise = yes
  }
  # Loaded module rlm_replicate
  # Instantiating module "replicate" from file /usr/local/etc/raddb/mods-enabled/replicate
  # Loaded module rlm_attr_filter
  # Instantiating module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
  attr_filter attr_filter.post-proxy {
      filename = "/usr/local/etc/raddb/mods-config/attr_filter/post-proxy"
      key = "%{Realm}"
      relaxed = no
  }
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/post-proxy
  # Instantiating module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
  attr_filter attr_filter.pre-proxy {
      filename = "/usr/local/etc/raddb/mods-config/attr_filter/pre-proxy"
      key = "%{Realm}"
      relaxed = no
  }
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/pre-proxy
  # Instantiating module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter
  attr_filter attr_filter.access_reject {
      filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_reject"
      key = "%{User-Name}"
      relaxed = no
  }
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_reject
  # Instantiating module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter
  attr_filter attr_filter.access_challenge {
      filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_challenge"
      key = "%{User-Name}"
      relaxed = no
  }
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_challenge
  # Instantiating module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter
  attr_filter attr_filter.accounting_response {
      filename = "/usr/local/etc/raddb/mods-config/attr_filter/accounting_response"
      key = "%{User-Name}"
      relaxed = no
  }
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/accounting_response
  # Loaded module rlm_eap
  # Instantiating module "eap" from file /usr/local/etc/raddb/mods-enabled/eap
  eap {
      default_eap_type = "peap"
      timer_expire = 60
      ignore_unknown_eap_types = no
      mod_accounting_username_bug = no
      max_sessions = 4096
  }
   # Linked to sub-module rlm_eap_md5
   # Linked to sub-module rlm_eap_leap
   # Linked to sub-module rlm_eap_gtc
   gtc {
       challenge = "Password: "
       auth_type = "PAP"
   }
   # Linked to sub-module rlm_eap_tls
   tls {
       tls = "tls-common"
   }
   tls-config tls-common {
       rsa_key_exchange = no
       dh_key_exchange = yes
       rsa_key_length = 512
       dh_key_length = 512
       verify_depth = 0
       ca_path = "/usr/local/etc/raddb/certs"
       pem_file_type = yes
       private_key_file = "/usr/local/etc/raddb/certs/<edited>.key"
       certificate_file = "/usr/local/etc/raddb/certs/<edited>.crt"
       ca_file = "/usr/local/etc/raddb/certs/terena.crt"
       private_key_password = "<edited>"
       dh_file = "/usr/local/etc/raddb/certs/dh"
       fragment_size = 1024
       include_length = yes
       check_crl = no
       cipher_list = "DEFAULT"
       ecdh_curve = "prime256v1"
    cache {
        enable = yes
        lifetime = 2
        max_entries = 255
    }
    verify {
    }
    ocsp {
        enable = no
        override_cert_url = yes
        url = "http://127.0.0.1/ocsp/"
        use_nonce = yes
        timeout = 0
        softfail = yes
    }
   }
   # Linked to sub-module rlm_eap_ttls
   ttls {
       tls = "tls-common"
       default_eap_type = "md5"
       copy_request_to_tunnel = no
       use_tunneled_reply = no
       virtual_server = "inner-tunnel"
       include_length = yes
       require_client_cert = no
   }
Using cached TLS configuration from previous invocation
   # Linked to sub-module rlm_eap_peap
   peap {
       tls = "tls-common"
       default_method = "mschapv2"
       copy_request_to_tunnel = no
       use_tunneled_reply = no
       proxy_tunneled_request_as_eap = yes
       virtual_server = "inner-tunnel"
       soh = no
       require_client_cert = no
   }
Using cached TLS configuration from previous invocation
   # Linked to sub-module rlm_eap_mschapv2
   mschapv2 {
       with_ntdomain_hack = no
       send_error = no
   }
  # Loaded module rlm_files
  # Instantiating module "files" from file /usr/local/etc/raddb/mods-enabled/files
  files {
      filename = "/usr/local/etc/raddb/mods-config/files/authorize"
      usersfile = "/usr/local/etc/raddb/mods-config/files/authorize"
      acctusersfile = "/usr/local/etc/raddb/mods-config/files/accounting"
      preproxy_usersfile = "/usr/local/etc/raddb/mods-config/files/pre-proxy"
      compat = "no"
  }
reading pairlist file /usr/local/etc/raddb/mods-config/files/authorize
reading pairlist file /usr/local/etc/raddb/mods-config/files/authorize
reading pairlist file /usr/local/etc/raddb/mods-config/files/accounting
reading pairlist file /usr/local/etc/raddb/mods-config/files/pre-proxy
  # Loaded module rlm_soh
  # Skipping instantiation of soh
  soh {
      dhcp = yes
  }
  # Loaded module rlm_always
  # Instantiating module "fail" from file /usr/local/etc/raddb/mods-enabled/always
  always fail {
      rcode = "fail"
      simulcount = 0
      mpp = no
  }
  # Instantiating module "reject" from file /usr/local/etc/raddb/mods-enabled/always
  always reject {
      rcode = "reject"
      simulcount = 0
      mpp = no
  }
  # Instantiating module "noop" from file /usr/local/etc/raddb/mods-enabled/always
  always noop {
      rcode = "noop"
      simulcount = 0
      mpp = no
  }
  # Instantiating module "handled" from file /usr/local/etc/raddb/mods-enabled/always
  always handled {
      rcode = "handled"
      simulcount = 0
      mpp = no
  }
  # Instantiating module "updated" from file /usr/local/etc/raddb/mods-enabled/always
  always updated {
      rcode = "updated"
      simulcount = 0
      mpp = no
  }
  # Instantiating module "notfound" from file /usr/local/etc/raddb/mods-enabled/always
  always notfound {
      rcode = "notfound"
      simulcount = 0
      mpp = no
  }
  # Instantiating module "ok" from file /usr/local/etc/raddb/mods-enabled/always
  always ok {
      rcode = "ok"
      simulcount = 0
      mpp = no
  }
 } # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /usr/local/etc/raddb/radiusd.conf
} # server
server default { # from file /usr/local/etc/raddb/sites-enabled/default
 # Creating Auth-Type = digest
 # Loading authenticate {...}
 # Loading authorize {...}
 # Loading virtual module filter_username
 # Loading preacct {...}
 # Loading virtual module acct_unique
 # Loading accounting {...}
WARNING: Ignoring "sql" (see raddb/mods-available/README.rst)
 # Loading post-proxy {...}
 # Loading post-auth {...}
WARNING: Ignoring "sql" (see raddb/mods-available/README.rst)
 # Loading virtual module remove_reply_message_if_eap
 # Loading virtual module remove_reply_message_if_eap
} # server default
server inner-tunnel { # from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
 # Loading authenticate {...}
 # Loading authorize {...}
WARNING: Ignoring "sql" (see raddb/mods-available/README.rst)
 # Loading session {...}
 # Loading post-proxy {...}
 # Loading post-auth {...}
WARNING: Ignoring "sql" (see raddb/mods-available/README.rst)
} # server inner-tunnel
radiusd: #### Opening IP addresses and Ports ####
listen {
      type = "auth"
      ipaddr = *
      port = 0
   limit {
       max_connections = 16
       lifetime = 0
       idle_timeout = 30
   }
}
listen {
      type = "acct"
      ipaddr = *
      port = 0
   limit {
       max_connections = 16
       lifetime = 0
       idle_timeout = 30
   }
}
listen {
      type = "auth"
      ipaddr = 127.0.0.1
      port = 18120
}
Listening on auth address * port 1812 as server default
Listening on acct address * port 1813 as server default
Listening on auth address 127.0.0.1 port 18120 as server inner-tunnel
Opening new proxy address * port 1814
Listening on proxy address * port 1814
Ready to process requests
rad_recv: Access-Request packet from host 127.0.0.1 port 36417, id=18, length=92
    User-Name = 'nagios'
    User-Password = '<edited>'
    NAS-IP-Address = <edited>
    NAS-Port = 1812
    Message-Authenticator = 0x64556e4fd5987e51d649edf493c2e0a2
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0)   authorize {
(0)   filter_username filter_username {
(0)    ? if (!User-Name)
(0)    ? if (!User-Name)  -> FALSE
(0)    ? if (User-Name != "%{tolower:%{User-Name}}")
(0)     expand: "%{tolower:%{User-Name}}" -> 'nagios'
(0)    ? if (User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(0)    ? if (User-Name =~ / /)
(0)    ? if (User-Name =~ / /)  -> FALSE
(0)    ? if (User-Name =~ /@.*@/ )
(0)    ? if (User-Name =~ /@.*@/ )  -> FALSE
(0)    ? if (User-Name =~ /\\.\\./ )
(0)    ? if (User-Name =~ /\\.\\./ )  -> FALSE
(0)    ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) 
(0)    ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))   -> FALSE
(0)    ? if (User-Name =~ /\\.$/) 
(0)    ? if (User-Name =~ /\\.$/)   -> FALSE
(0)    ? if (User-Name =~ /@\\./) 
(0)    ? if (User-Name =~ /@\\./)   -> FALSE
(0)   } # filter_username filter_username = notfound
(0)   [preprocess] = ok
(0)   [chap] = noop
(0)   [mschap] = noop
(0)   [digest] = noop
(0) suffix : No '@' in User-Name = "nagios", looking up realm NULL
(0) suffix : Found realm "NULL"
(0) suffix : Adding Stripped-User-Name = "nagios"
(0) suffix : Adding Realm = "NULL"
(0) suffix : Authentication realm is LOCAL
(0)   [suffix] = ok
(0) eap : No EAP-Message, not doing EAP
(0)   [eap] = noop
(0) files : users: Matched entry nagios at line 108
(0)   [files] = ok
(0) ERROR: ldap_opendeusto : All ldap connections are in use
(0)   [ldap_opendeusto] = fail
(0)  } #  authorize = fail
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0)  Post-Auth-Type REJECT {
(0) attr_filter.access_reject :     expand: "%{User-Name}" -> 'nagios'
(0) attr_filter.access_reject : Matched entry DEFAULT at line 11
(0)   [attr_filter.access_reject] = updated
(0) eap : Request didn't contain an EAP-Message, not inserting EAP-Failure
(0)   [eap] = noop
(0)   remove_reply_message_if_eap remove_reply_message_if_eap {
(0)    ? if (reply:EAP-Message && reply:Reply-Message)
(0)    ? if (reply:EAP-Message && reply:Reply-Message)  -> FALSE
(0)    else else {
(0)     [noop] = noop
(0)    } # else else = noop
(0)   } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(0)  } # Post-Auth-Type REJECT = updated
(0) Finished request 0.
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed reject
Sending Access-Reject of id 18 from 127.0.0.1 port 1812 to 127.0.0.1 port 36417
    Reply-Message = 'OK'
Waking up in 4.9 seconds.
(0) Cleaning up request packet ID 18 with timestamp +2
Ready to process requests


As you can see, it's the first request.

Hope it helps you helping me O:)