Ivan, Here is the radiusd -X output: Thanks main { prefix = "/usr" localstatedir = "/var" logdir = "/usr/local/jboss/server/zzjbossserver/log" libdir = "/usr/lib" radacctdir = "/usr/local/jboss/server/zzjbossserver/log/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = no } } client 10.12.18.4 { require_message_authenticator = no secret = "zz" shortname = "3750" } client 127.0.0.1 { require_message_authenticator = no secret = "zz" shortname = "example" } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = yes dead_time = 100 wake_all_if_all_dead = no } realm example { authhost = LOCAL accthost = LOCAL } realm tpw5.com { authhost = LOCAL accthost = LOCAL } realm tpw5 { authhost = LOCAL accthost = LOCAL } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = yes input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr } radiusd: #### Loading Virtual Servers #### modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "crypt" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = yes require_strong = no with_ntdomain_hack = yes ntlm_auth = "/usr/bin/sudo /usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-%{mschap:User-Name}}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/usr/local/jboss/server/zzjbossserver/log/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/opt/zz/current/radius/raddb/port_1812/cert_privkey.key" certificate_file = "/opt/zz/current/radius/raddb/port_1812/cert_certificate.pem" CA_file = "/opt/zz/current/radius/raddb/port_1812/cert_ca_cert.pem" private_key_password = "whatever" dh_file = "/etc/raddb/certs/dh" random_file = "/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = yes } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = yes use_tunneled_reply = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = yes } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Linked to module rlm_ldap Module: Instantiating tpw5.com ldap tpw5.com { server = "10.12.19.12" port = 3268 password = "password" identity = "Administrator@tpw5.com" net_timeout = 10 timeout = 20 timelimit = 20 tls_mode = no start_tls = no tls_require_cert = "allow" basedn = "CN=Users,DC=tpw5,DC=com" filter = "(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" auto_header = no access_attr_used_for_allow = yes groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" dictionary_mapping = "/opt/zz/current/radius/raddb/port_1812/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes edir_account_policy_check = yes set_auth_type = yes } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Creating new attribute tpw5.com-Ldap-Group rlm_ldap: Registering ldap_groupcmp for tpw5.com-Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name tpw5.com rlm_ldap: reading ldap<->radius mappings from file /opt/zz/current/radius/raddb/port_1812/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message conns: 0x9db9aa0 Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/opt/zz/current/radius/raddb/port_1812/huntgroups" hints = "/opt/zz/current/radius/raddb/port_1812/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_realm Module: Instantiating realmpercent realm realmpercent { format = "suffix" delimiter = "%" ignore_default = no ignore_null = yes } Module: Instantiating ntdomain realm ntdomain { format = "prefix" delimiter = "\" ignore_default = no ignore_null = yes } Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/opt/zz/current/radius/raddb/port_1812/users" acctusersfile = "/opt/zz/current/radius/raddb/port_1812/acct_users" preproxy_usersfile = "/opt/zz/current/radius/raddb/port_1812/preproxy_users" compat = "no" } Module: Checking preacct {...} for more modules to load Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/usr/local/jboss/server/zzjbossserver/log/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/usr/local/jboss/server/zzjbossserver/log/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_jradius radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 1812 } Listening on authentication address * port 1812 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.12.18.4 port 1812, id=100, length=126 NAS-IP-Address = 10.12.18.4 NAS-Port-Type = Async User-Name = "TPW5\\administrator" Service-Type = Framed Framed-MTU = 1500 Calling-Station-Id = "00-0b-db-0a-ed-eb" EAP-Message = 0x0200001701545057355c61646d696e6973747261746f72 Message-Authenticator = 0x06f820c71907e184080fd19cd6e84fd0 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config. ++[realmpercent] returns noop [ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator" [ntdomain] Found realm "tpw5" [ntdomain] Adding Stripped-User-Name = "administrator" [ntdomain] Adding Realm = "tpw5" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [suffix] Request already proxied. Ignoring. ++[suffix] returns ok [eap] EAP packet type response id 0 length 23 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 100 to 10.12.18.4 port 1812 EAP-Message = 0x0101001604105ad65c5e373632a60f58c8699b2db79e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6ccc7ea76ccd7ad3e72180cc6356312d Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.12.18.4 port 1812, id=101, length=127 NAS-IP-Address = 10.12.18.4 NAS-Port-Type = Async User-Name = "TPW5\\administrator" Service-Type = Framed Framed-MTU = 1500 Calling-Station-Id = "00-0b-db-0a-ed-eb" State = 0x6ccc7ea76ccd7ad3e72180cc6356312d EAP-Message = 0x020100060319 Message-Authenticator = 0x2c9415792a87d0100d36482b8e227326 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config. ++[realmpercent] returns noop [ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator" [ntdomain] Found realm "tpw5" [ntdomain] Adding Stripped-User-Name = "administrator" [ntdomain] Adding Realm = "tpw5" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [suffix] Request already proxied. Ignoring. ++[suffix] returns ok [eap] EAP packet type response id 1 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 101 to 10.12.18.4 port 1812 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6ccc7ea76dce67d3e72180cc6356312d Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.12.18.4 port 1812, id=102, length=201 NAS-IP-Address = 10.12.18.4 NAS-Port-Type = Async User-Name = "TPW5\\administrator" Service-Type = Framed Framed-MTU = 1500 Calling-Station-Id = "00-0b-db-0a-ed-eb" State = 0x6ccc7ea76dce67d3e72180cc6356312d EAP-Message = 0x0202005019800000004616030100410100003d030149497fc0589d066d3182d4e06110415db7e9cce189ba524ed9da5a2b90466e9400001600040005000a000900640062000300060013001200630100 Message-Authenticator = 0x1b286efae0fc2cac4e562d2c8b06225f +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config. ++[realmpercent] returns noop [ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator" [ntdomain] Found realm "tpw5" [ntdomain] Adding Stripped-User-Name = "administrator" [ntdomain] Adding Realm = "tpw5" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [suffix] Request already proxied. Ignoring. ++[suffix] returns ok [eap] EAP packet type response id 2 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok ++[files] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 70 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0041], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 06ef], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 102 to 10.12.18.4 port 1812 EAP-Message = EAP-Message = EAP-Message = EAP-Message = EAP-Message = Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6ccc7ea76ecf67d3e72180cc6356312d Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.12.18.4 port 1812, id=103, length=127 NAS-IP-Address = 10.12.18.4 NAS-Port-Type = Async User-Name = "TPW5\\administrator" Service-Type = Framed Framed-MTU = 1500 Calling-Station-Id = "00-0b-db-0a-ed-eb" State = 0x6ccc7ea76ecf67d3e72180cc6356312d EAP-Message = 0x020300061900 Message-Authenticator = 0xf25c9f0d7a0c9a2a5873708bddf1901f +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config. ++[realmpercent] returns noop [ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator" [ntdomain] Found realm "tpw5" [ntdomain] Adding Stripped-User-Name = "administrator" [ntdomain] Adding Realm = "tpw5" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [suffix] Request already proxied. Ignoring. ++[suffix] returns ok [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok ++[files] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 103 to 10.12.18.4 port 1812 EAP-Message = EAP-Message = EAP-Message = EAP-Message = Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6ccc7ea76fc867d3e72180cc6356312d Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.12.18.4 port 1812, id=104, length=313 NAS-IP-Address = 10.12.18.4 NAS-Port-Type = Async User-Name = "TPW5\\administrator" Service-Type = Framed Framed-MTU = 1500 Calling-Station-Id = "00-0b-db-0a-ed-eb" State = 0x6ccc7ea76fc867d3e72180cc6356312d EAP-Message = Message-Authenticator = +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config. ++[realmpercent] returns noop [ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator" [ntdomain] Found realm "tpw5" [ntdomain] Adding Stripped-User-Name = "administrator" [ntdomain] Adding Realm = "tpw5" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [suffix] Request already proxied. Ignoring. ++[suffix] returns ok [eap] EAP packet type response id 4 length 192 [eap] Continuing tunnel setup. ++[eap] returns ok ++[files] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 182 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 104 to 10.12.18.4 port 1812 EAP-Message = 0x0105003119001403010001011603010020a1ba5949221dd59f2e8453311aec9c6c1d2e60cff4a6b017df386d2fa527f2c7 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6ccc7ea768c967d3e72180cc6356312d Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.12.18.4 port 1812, id=105, length=127 NAS-IP-Address = 10.12.18.4 NAS-Port-Type = Async User-Name = "TPW5\\administrator" Service-Type = Framed Framed-MTU = 1500 Calling-Station-Id = "00-0b-db-0a-ed-eb" State = 0x6ccc7ea768c967d3e72180cc6356312d EAP-Message = 0x020500061900 Message-Authenticator = 0x1de51ad1c24ebe21f7be45e6177e6693 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config. ++[realmpercent] returns noop [ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator" [ntdomain] Found realm "tpw5" [ntdomain] Adding Stripped-User-Name = "administrator" [ntdomain] Adding Realm = "tpw5" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [suffix] Request already proxied. Ignoring. ++[suffix] returns ok [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok ++[files] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 105 to 10.12.18.4 port 1812 EAP-Message = 0x0106002019001703010015772e7cc1d5e3d2757502d491ac6a9ecbcb24c165c4 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6ccc7ea769ca67d3e72180cc6356312d Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.12.18.4 port 1812, id=106, length=167 NAS-IP-Address = 10.12.18.4 NAS-Port-Type = Async User-Name = "TPW5\\administrator" Service-Type = Framed Framed-MTU = 1500 Calling-Station-Id = "00-0b-db-0a-ed-eb" State = 0x6ccc7ea769ca67d3e72180cc6356312d EAP-Message = 0x0206002e190017030100230e1c053c3bcebe8892859e8bbfac2208ed26c7cf5f2f9c25627c2c0115038d12e7392f Message-Authenticator = 0xdd0722594d8f86b0139a64ac045cc96a +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config. ++[realmpercent] returns noop [ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator" [ntdomain] Found realm "tpw5" [ntdomain] Adding Stripped-User-Name = "administrator" [ntdomain] Adding Realm = "tpw5" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [suffix] Request already proxied. Ignoring. ++[suffix] returns ok [eap] EAP packet type response id 6 length 46 [eap] Continuing tunnel setup. ++[eap] returns ok ++[files] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Identity - TPW5\administrator [peap] Got tunneled request EAP-Message = 0x0206001701545057355c61646d696e6973747261746f72 server { PEAP: Got tunneled identity of TPW5\administrator PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to TPW5\administrator Sending tunneled request EAP-Message = 0x0206001701545057355c61646d696e6973747261746f72 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "TPW5\\administrator" NAS-IP-Address = 10.12.18.4 NAS-Port-Type = Async Service-Type = Framed Framed-MTU = 1500 Calling-Station-Id = "00-0b-db-0a-ed-eb" server { +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config. ++[realmpercent] returns noop [ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator" [ntdomain] Found realm "tpw5" [ntdomain] Adding Stripped-User-Name = "administrator" [ntdomain] Adding Realm = "tpw5" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [suffix] Request already proxied. Ignoring. ++[suffix] returns ok [eap] EAP packet type response id 6 length 23 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server [peap] Got tunneled reply code 11 EAP-Message = 0x0107002c1a010700271094f96e94ba4375f4d745f33741fac11e545057355c61646d696e6973747261746f72 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbd40b48fbd47ae4a573dddc94033f1de [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x0107002c1a010700271094f96e94ba4375f4d745f33741fac11e545057355c61646d696e6973747261746f72 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbd40b48fbd47ae4a573dddc94033f1de [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 106 to 10.12.18.4 port 1812 EAP-Message = 0x01070043190017030100387cd98b9fe8e33bc0bc8dbbf8a2f139fd27cc793f0241af4a18afa6962c75c5183a63822faa5bf18b3d9460cf6a05071729ea6565ea039db5 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6ccc7ea76acb67d3e72180cc6356312d Finished request 6. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.12.18.4 port 1812, id=107, length=221 NAS-IP-Address = 10.12.18.4 NAS-Port-Type = Async User-Name = "TPW5\\administrator" Service-Type = Framed Framed-MTU = 1500 Calling-Station-Id = "00-0b-db-0a-ed-eb" State = 0x6ccc7ea76acb67d3e72180cc6356312d EAP-Message = 0x0207006419001703010059f5d5f237a8b1b6a12ce80c36564ceed7ea4b77a2e021c87ab5c01015f679ab43a21c96092d0eb36c944690044e81504bf30d9a0ff0dcd6c5d5a6c036b298245967f69705f3c87d2ca8481b02cf79f3053546eeb7e09a5467ee Message-Authenticator = 0x80fc39ba54f43c51ba004c1d30942c56 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config. ++[realmpercent] returns noop [ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator" [ntdomain] Found realm "tpw5" [ntdomain] Adding Stripped-User-Name = "administrator" [ntdomain] Adding Realm = "tpw5" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [suffix] Request already proxied. Ignoring. ++[suffix] returns ok [eap] EAP packet type response id 7 length 100 [eap] Continuing tunnel setup. ++[eap] returns ok ++[files] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x0207004d1a020700483182563e83f60fc3886ae6a29eeaa3353c0000000000000000edfe77fdefdc346cfcb795de77c1bfb7e882075da213a53200545057355c61646d696e6973747261746f72 server { PEAP: Setting User-Name to TPW5\administrator Sending tunneled request EAP-Message = 0x0207004d1a020700483182563e83f60fc3886ae6a29eeaa3353c0000000000000000edfe77fdefdc346cfcb795de77c1bfb7e882075da213a53200545057355c61646d696e6973747261746f72 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "TPW5\\administrator" State = 0xbd40b48fbd47ae4a573dddc94033f1de NAS-IP-Address = 10.12.18.4 NAS-Port-Type = Async Service-Type = Framed Framed-MTU = 1500 Calling-Station-Id = "00-0b-db-0a-ed-eb" server { +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config. ++[realmpercent] returns noop [ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator" [ntdomain] Found realm "tpw5" [ntdomain] Adding Stripped-User-Name = "administrator" [ntdomain] Adding Realm = "tpw5" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [suffix] Request already proxied. Ignoring. ++[suffix] returns ok [eap] EAP packet type response id 7 length 77 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for administrator with NT-Password [mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [mschap] expand: --username=%{Stripped-User-Name:-%{User-Name:-%{mschap:User-Name}}} -> --username=administrator [mschap] mschap2: 94 [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=c92aee56ea24cca3 [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=edfe77fdefdc346cfcb795de77c1bfb7e882075da213a532 Exec-Program output: NT_KEY: 0B31E07CE9C3855E7B73F3A94ED21EB5 Exec-Program-Wait: plaintext: NT_KEY: 0B31E07CE9C3855E7B73F3A94ED21EB5 Exec-Program: returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server [peap] Got tunneled reply code 11 EAP-Message = 0x010800331a0307002e533d30353238303737363038373744463839323931393436433734384142333131334443383345423534 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbd40b48fbc48ae4a573dddc94033f1de [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010800331a0307002e533d30353238303737363038373744463839323931393436433734384142333131334443383345423534 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbd40b48fbc48ae4a573dddc94033f1de [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 107 to 10.12.18.4 port 1812 EAP-Message = 0x0108004a1900170301003fa21a6406b72762e386f075bc1c01d6b83e271b811a3b126616dff52b1befad49d665e40cf12309fcf4c0675abd66826102e54fdfa02f4f5b9dc78fba4be828 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6ccc7ea76bc467d3e72180cc6356312d Finished request 7. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.12.18.4 port 1812, id=108, length=150 NAS-IP-Address = 10.12.18.4 NAS-Port-Type = Async User-Name = "TPW5\\administrator" Service-Type = Framed Framed-MTU = 1500 Calling-Station-Id = "00-0b-db-0a-ed-eb" State = 0x6ccc7ea76bc467d3e72180cc6356312d EAP-Message = 0x0208001d190017030100123215a25025b2f991889e532eab1acc707509 Message-Authenticator = 0x4ad3f4a678eb190c4ba1f842ab5c4b31 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config. ++[realmpercent] returns noop [ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator" [ntdomain] Found realm "tpw5" [ntdomain] Adding Stripped-User-Name = "administrator" [ntdomain] Adding Realm = "tpw5" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [suffix] Request already proxied. Ignoring. ++[suffix] returns ok [eap] EAP packet type response id 8 length 29 [eap] Continuing tunnel setup. ++[eap] returns ok ++[files] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020800061a03 server { PEAP: Setting User-Name to TPW5\administrator Sending tunneled request EAP-Message = 0x020800061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "TPW5\\administrator" State = 0xbd40b48fbc48ae4a573dddc94033f1de NAS-IP-Address = 10.12.18.4 NAS-Port-Type = Async Service-Type = Framed Framed-MTU = 1500 Calling-Station-Id = "00-0b-db-0a-ed-eb" server { +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config. ++[realmpercent] returns noop [ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator" [ntdomain] Found realm "tpw5" [ntdomain] Adding Stripped-User-Name = "administrator" [ntdomain] Adding Realm = "tpw5" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [suffix] Request already proxied. Ignoring. ++[suffix] returns ok [eap] EAP packet type response id 8 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] returns ok [peap] Got tunneled reply code 2 EAP-Message = 0x03080004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "administrator" Session-Timeout := 900 Tunnel-Type:0 := VLAN Tunnel-Medium-Type:0 := IEEE-802 Tunnel-Private-Group-Id:0 := "100" [peap] Got tunneled reply RADIUS code 2 EAP-Message = 0x03080004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "administrator" Session-Timeout := 900 Tunnel-Type:0 := VLAN Tunnel-Medium-Type:0 := IEEE-802 Tunnel-Private-Group-Id:0 := "100" [peap] Tunneled authentication was successful. [peap] SUCCESS [peap] Saving tunneled attributes for later ++[eap] returns handled Sending Access-Challenge of id 108 to 10.12.18.4 port 1812 EAP-Message = 0x010900261900170301001b80018f7d29f8c5f428c963bc1a2fb0d9eb4a5635fe3dd9ccecdee9 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6ccc7ea764c567d3e72180cc6356312d Finished request 8. Going to the next request Waking up in 4.6 seconds. rad_recv: Access-Request packet from host 10.12.18.4 port 1812, id=109, length=159 NAS-IP-Address = 10.12.18.4 NAS-Port-Type = Async User-Name = "TPW5\\administrator" Service-Type = Framed Framed-MTU = 1500 Calling-Station-Id = "00-0b-db-0a-ed-eb" State = 0x6ccc7ea764c567d3e72180cc6356312d EAP-Message = 0x020900261900170301001b5c1ed2599bd67049afbec5788577faf4dd886681d22bf37c1188f0 Message-Authenticator = 0x86a410ea19f9df8d6d6b7a4bfd926745 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config. ++[realmpercent] returns noop [ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator" [ntdomain] Found realm "tpw5" [ntdomain] Adding Stripped-User-Name = "administrator" [ntdomain] Adding Realm = "tpw5" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [suffix] Request already proxied. Ignoring. ++[suffix] returns ok [eap] EAP packet type response id 9 length 38 [eap] Continuing tunnel setup. ++[eap] returns ok ++[files] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Success [peap] Using saved attributes from the original Access-Accept rlm_eap_tls: add_reply failed to create attribute EAP-MSK: Invalid octet string "" for attribute name "EAP-MSK" rlm_eap_tls: add_reply failed to create attribute EAP-EMSK: Invalid octet string "" for attribute name "EAP-EMSK" [eap] Freeing handler ++[eap] returns ok Sending Access-Accept of id 109 to 10.12.18.4 port 1812 User-Name = "administrator" MS-MPPE-Recv-Key = 0x829a5f395e0ba2e486cf04409ee945b8d3b68e65b40b207b9117722222d890e2 MS-MPPE-Send-Key = 0x4680664366c2b27dd92f9b94d0d00a289f409040fcfc3d26d4e8500e8bd41cbc EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 Session-Timeout := 900 Tunnel-Type:0 := VLAN Tunnel-Medium-Type:0 := IEEE-802 Tunnel-Private-Group-Id:0 := "100" Finished request 9. Going to the next request ________________________________ From: "tnt@kalik.net" <tnt@kalik.net> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Sent: Wednesday, December 17, 2008 3:06:27 PM Subject: Re: PEAP with Windows supplicant, Automatically use my windows credentials
I've configured a PEAP with the Windows SP3 supplicant with freeradius 2.1.3, and the authentication succeeds when "Automatically use my windows logon name and password (and domain if any)" is unselected, which forces a manual logon. However, when "Automatically use my ..." is selected with the same user name/domain, the authentication fails.
How same is "the same user name/domain"? Post the debug of the good attempt. Please use radiusd -X. We don't need to see "Wed Dec 17 09:07:24 2008 : Debug:" in front of every line. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html