Hi all, We are trying to set up an environment with 802.1x + Freeradius for our Wireless net. Our goal is to authenticate Windows XP clients using EAP. Our radius server is bound to an LDAP database. We have tested our users with a "radius-test" tool and everything seems to work fine, but when trying to validate in our 802.1x environment, the radius server rejects the user. In fact, although we get a "authorize returns ok", there seems to be an additional check that claims the user has no password. Any ideas? We attach the radiusd log (hope it helps!). Thanks in advance, rad_recv: Access-Request packet from host **NAS_ IP_ADDRESS** port 1027, id=2, length=187 Message-Authenticator = 0xc40883257068815f1b14f3b80780eeab Service-Type = Framed-User User-Name = "ID_of_USER" Framed-MTU = 1488 State = 0xb32f32ffc94e41b83d5af8f919ee449e Called-Station-Id = "00-12-CF-1A-15-80:Eduroam" Calling-Station-Id = "00-0E-35-FE-1F-6D" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020200060319 NAS-IP-Address = 1.0.1.2 NAS-Port = 1 NAS-Port-Id = "STA port # 1" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 radius_xlat: '/home/radmgr/freeradius/var/log/radius/radacct/158.109.1.15/auth-detail-20070201' rlm_detail: /home/radmgr/freeradius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /home/radmgr/freeradius/var/log/radius/radacct/NAS_IP_ADDRESS/auth-detail-20070201 radius_xlat: 'Thu Feb 1 17:06:44 2007' modcall[authorize]: module "auth_log" returns ok for request 6 modcall[authorize]: module "chap" returns noop for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: No '@' in User-Name = "ID_of_USER", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 6 rlm_eap: EAP packet type response id 2 length 6 rlm_eap: Ignoring NAK with request for unknown EAP type modcall[authorize]: module "eap" returns noop for request 6 rlm_ldap: - authorize rlm_ldap: performing user authorization for ID_of_USER radius_xlat: '(uid=ID_of_USER)' radius_xlat: 'ou=People,dc=my_org,dc=es' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,dc=my_org,dc=es, with filter (uid=ID_of_USER) rlm_ldap: Password header not found in password {SSHA}HzNGeJ1eXDD/B9ZOG+QdbpeCGUx1Q+UiMSdLZg== for user ID_of_USER rlm_ldap: Added User-Password = {SSHA}HzNGeJ1eXDD/B9ZOG+QdbpeCGUx1Q+UiMSdLZg== in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Adding LDAP attribute UserClass as RADIUS attribute Filter-Id = GRUPS_INTERES#951#Servei d'InformÃ?tica rlm_ldap: Adding LDAP attribute UserClass as RADIUS attribute Filter-Id = USUARI_PROVES#951#Servei d'InformÃ?tica rlm_ldap: user IP_of_USER authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 6 modcall: group authorize returns ok for request 6 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Login incorrect: [ID_of_User/<no User-Password attribute>] (from client NAS_IP_ADDRESS port 1 cli 00-0E-35-FE-1F-6D) Delaying request 6 for 1 seconds Finished request 6 Going to the next request Waking up in 5 seconds... --- Walking the entire request list --- Sending Access-Reject of id 2 to NAS_IP_ADDRESS port 1027 Filter-Id = "GRUPS_INTERES#951#Servei d'Inform\303\240tica" Cleaning up request 6 ID 2 with timestamp 45c21014 Cleaning up request 5 ID 1 with timestamp 45c21014 Cleaning up request 4 ID 0 with timestamp 45c21014 Nothing to do. Sleeping until we see a request. -- Ramón Barquier Montalbán Comunicacions Servei d'Informàtica Edifici D Campus de la UAB 08193 Bellaterra. Barcelona Tel. +34 935 811 488 Fax: +34 935 812 094 Ramon.Barquier@uab.es www.uab.es/si