Hi Sorry it was my first post and only one week with the openldap and freeradius. Thanks for the feedback and patience. So far what I can do at ldapsearch is to look using the gidNumber and I get: $ ldapsearch -x -LLL -b ou=Groups,dc=testexample,dc=com '(&(objectClass=posixGroup)(gidNumber=5000))' dn: cn=students,ou=Groups,dc=testexample,dc=com objectClass: posixGroup cn: students gidNumber: 5000 And if I search de attribute cn then I get $ldapsearch -x -LLL -b ou=Groups,dc=testexample,dc=com '(&(objectClass=posixGroup)(gidNumber=5000))' cn dn: cn=students,ou=Groups,dc=testexample,dc=com cn: students So how can I populate Ldap-Group with "students" in this case? Now going back to the output below (too big), where I put at the users file DEFAULT GroupNumber == 5000 Filter-Id :="test" I see that my GroupNumber gets populated with the gidNumber of the user which in this case is 5000. that [ldap] gidNumber -> GroupNumber == 5000 [ldap] userPassword -> Password-With-Header == "david" [ldap] sambaNtPassword -> NT-Password == But I do not see nothing in the output below that shows the users file being check. When I change that to Ldap-Group="student" I see on the output that it tries to query for students but as I do not have objectclass GroupofNames it does not work: [ldap] performing search in dc=testexample,dc=com, with filter (&(cn=students)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=)))) [ldap] object not found So bottom line. What could be my issue based on my Opendap directory info? Thanks, David Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.242.254.254 port 1069, id=123, length=103 User-Name = "david" NAS-IP-Address = 10.242.254.254 NAS-Port = 77 NAS-Port-Type = Ethernet Calling-Station-Id = "e4115b3ef3b4" EAP-Message = 0x0200000a016461766964 Message-Authenticator = 0x6eda8fb3569454ebd60c80a3764f2fe9 Service-Type = Framed-User # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [suffix] No '@' in User-Name = "david", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 10 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 123 to 10.242.254.254 port 1069 EAP-Message = 0x0101001604108648bbc6295b42cac8b6b9c1e9cfa9df Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb6b75489b6b650ec2f9f110d6137b02e Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.242.254.254 port 1069, id=124, length=117 User-Name = "david" NAS-IP-Address = 10.242.254.254 State = 0xb6b75489b6b650ec2f9f110d6137b02e NAS-Port = 77 NAS-Port-Type = Ethernet Calling-Station-Id = "e4115b3ef3b4" EAP-Message = 0x020100060319 Message-Authenticator = 0x3a4e1e5734dec88bc2fcff10c40f76d0 Service-Type = Framed-User # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [suffix] No '@' in User-Name = "david", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 124 to 10.242.254.254 port 1069 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb6b75489b7b54dec2f9f110d6137b02e Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.242.254.254 port 1069, id=125, length=218 User-Name = "david" NAS-IP-Address = 10.242.254.254 State = 0xb6b75489b7b54dec2f9f110d6137b02e NAS-Port = 77 NAS-Port-Type = Ethernet Calling-Station-Id = "e4115b3ef3b4" EAP-Message = 0x0202006b198000000061160301005c01000058030155e9110f3a5f4974f513b4b7fc2847aa5b7e993bb045cf0ecf6cc14b884ee3f4000018c014c013c00ac0090035002f00380032000a00130005000401000017000a00080006001900170018000b00020100ff01000100 Message-Authenticator = 0xf093511c80c5086894dbd4b245e1cb6c Service-Type = Framed-User # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [suffix] No '@' in User-Name = "david", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 107 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 97 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 005c], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0031], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 02ac], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 125 to 10.242.254.254 port 1069 EAP-Message = 0x010302f6190016030100310200002d030155e9110ff3b1d4e07998ff070e3fedd09b7a537a1657d1efde554643cef7c95c000035000005ff0100010016030102ac0b0002a80002a50002a23082029e30820186020900f110e01208f73412300d06092a864886f70d01010505003011310f300d060355040313067562756e7475301e170d3133303631353031353130335a170d3233303631333031353130335a3011310f300d060355040313067562756e747530820122300d06092a864886f70d01010105000382010f003082010a0282010100aa7bbf84790314288b6502a71473e60b430317330ed2f25d1522b93cc4fb4f43d85243cfcaeb8b7680 EAP-Message = 0x04eb7b41349f34b43b5e8f9af52fc49311b5b2fe08fc74b29db8015fe6f2a9896f63080a079aa779a62c64b962341acb140b7d2415bb67a93583fd1d340769103bb955dbf24ef36f07f0b1e227626b659e62ed0f487abef679edbce503fe7a53bd37db38f7290dd719bdcac5009450b5f1c6b448c1108c68b27adf3ddf4610d38054e2a09c2a3e622711150357388637de11fad849185f7742cd3ebf54125145a9a49d56a648c7e817649d14d65234ff2d927efb26321e79851fe5b631021fbc7a94b9d43f036476994c48afa98506ef41751d525fb04b0203010001300d06092a864886f70d0101050500038201010015eddb2e324a5e49273001d6f6 EAP-Message = 0xb2805a5578995f1ee22286f4a35e90823af81cd309da655f3373c7920de53673445afd95935f95151befea7b5007bcf7a9db41e0686ba4216ab979182929830fc0e44f8497873feb34e8c2d0503911d70d718ff63f1caa87226231f316ee3bd407457f0d40af68dbaf5313d471a774e7f66bc12e426e01b88c22c6ed7778bd55dbf99cd16cbf56871bf24de914af12355ce07841102a1b22b21d983f08973881faaa6fe293dcc2058b4da434a294ef225d1f1d1a6d1f4c1bbcb8a3eb742ebab0d6c81d3578b1b72081ea3a63be643bff8f5bd30f67698f04405a6fc03802e51a6805943a178f73fa6e01c18294004c1c12454c16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb6b75489b4b44dec2f9f110d6137b02e Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.242.254.254 port 1069, id=126, length=449 User-Name = "david" NAS-IP-Address = 10.242.254.254 State = 0xb6b75489b4b44dec2f9f110d6137b02e NAS-Port = 77 NAS-Port-Type = Ethernet Calling-Station-Id = "e4115b3ef3b4" EAP-Message = 0x0203015019800000014616030101061000010201008fba534a1139afcf8cbe6260bf1226100554d8e54483500c043be6dcb570e5935fca4bd87add18d515a9c5304d975f2c3f552372d6f07e96828b0336b1c36f5cc45d0bc299677ce9eff5fec1722b8aadea200241125cd0b1b024c365c775786dd7bf5596ffda0829a2033efb020586435f4e291fec7dad0bfb43fc61eb667c6f67c7ad5754f1bff007fcd0493fa1f28f032f8d7678726a6318683bb1ecae7d4a7c252c6e06f8fe3c4cb557d5343dc774962079ecc2851e8fcc84bb57b055ca02ddb45220ae411dd1d01e609a6719e594cd1dd10bd9be108812b02540b51adde1cf2b9b4ba7616e92 EAP-Message = 0xd85c8ffcc24354a888ae2de39c82526945fdfa0e4e065dcd140301000101160301003066134c22605c9673dbb59626969081f39a7101a8e1f772768aba0d3bf514b89ef27b110a5803d95ec2cc4403d12179e7 Message-Authenticator = 0xece81e29182a141fa0588f8d36ed905f Service-Type = Framed-User # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [suffix] No '@' in User-Name = "david", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 326 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 126 to 10.242.254.254 port 1069 EAP-Message = 0x0104004119001403010001011603010030f73ed80f8b2925a75dfdda9dd090be391a302a60604cbed32bc61dd466cc0f4d9a2be5b8eb299437ec6b5bb7ec8729d2 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb6b75489b5b34dec2f9f110d6137b02e Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.242.254.254 port 1069, id=127, length=117 User-Name = "david" NAS-IP-Address = 10.242.254.254 State = 0xb6b75489b5b34dec2f9f110d6137b02e NAS-Port = 77 NAS-Port-Type = Ethernet Calling-Station-Id = "e4115b3ef3b4" EAP-Message = 0x020400061900 Message-Authenticator = 0xda1f0c6a31393103b9c12ca0284e2c0f Service-Type = Framed-User # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [suffix] No '@' in User-Name = "david", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] returns handled Sending Access-Challenge of id 127 to 10.242.254.254 port 1069 EAP-Message = 0x0105002b190017030100203ddde826ff0e1d216ca33b4442b819345118030e16fb68628173e22278ee98fc Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb6b75489b2b24dec2f9f110d6137b02e Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.242.254.254 port 1069, id=128, length=154 User-Name = "david" NAS-IP-Address = 10.242.254.254 State = 0xb6b75489b2b24dec2f9f110d6137b02e NAS-Port = 77 NAS-Port-Type = Ethernet Calling-Station-Id = "e4115b3ef3b4" EAP-Message = 0x0205002b190017030100202965ee9c1a2e44a22e2fe1c8657434f166f76452400085e7c546d2afeb3151e2 Message-Authenticator = 0x84e872b5ee78e972767073a0cf897485 Service-Type = Framed-User # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [suffix] No '@' in User-Name = "david", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - david [peap] Got inner identity 'david' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x0205000a016461766964 server { PEAP: Setting User-Name to david Sending tunneled request EAP-Message = 0x0205000a016461766964 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "david" server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++[mschap] returns noop [suffix] No '@' in User-Name = "david", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 5 length 10 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for david [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> david [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=david) [ldap] expand: dc=testexample,dc=com -> dc=testexample,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to localhost:389, authentication 0 [ldap] bind as cn=admin,dc=testexample,dc=com/test2004 to localhost:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in dc=testexample,dc=com, with filter (uid=david) [ldap] checking if remote access for david is allowed by dialupAccess [ldap] Added User-Password = david in check items [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] gidNumber -> GroupNumber == 5000 [ldap] userPassword -> Password-With-Header == "david" [ldap] sambaNtPassword -> NT-Password == 0x3638313238334242334639314644463837444439343235374244314232364434 [ldap] sambaLmPassword -> LM-Password == 0x3031384539333834334339423830303135303434323845323033343535353234 [ldap] looking for reply items in directory... [ldap] user david authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x0106001f1a0106001a104924a874610ee8126c1451aa24aaa2996461766964 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf10600a5f1001ace9b23ed19368cfb3c [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x0106001f1a0106001a104924a874610ee8126c1451aa24aaa2996461766964 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf10600a5f1001ace9b23ed19368cfb3c [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 128 to 10.242.254.254 port 1069 EAP-Message = 0x0106003b19001703010030f553bf6ff5317d92dd3a8320a0c2851c7290522d2dc7d87a112377ab73fd1605b3175b2e15cb1d98cda54362d1e2d4b8 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb6b75489b3b14dec2f9f110d6137b02e Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.242.254.254 port 1069, id=129, length=218 User-Name = "david" NAS-IP-Address = 10.242.254.254 State = 0xb6b75489b3b14dec2f9f110d6137b02e NAS-Port = 77 NAS-Port-Type = Ethernet Calling-Station-Id = "e4115b3ef3b4" EAP-Message = 0x0206006b19001703010060773bc9cffe95a263db94999ffaf2afd9e09c2dd343ac717a65137a5bfa566952b6c06d5dbc569350f95bc2d2b5a2598a2a0d2d0d26f919283602ba0cfa44278e20ddd7a073df92b8d56f66a7391f64d46ee67e730cfd1cc5aa2f50926896d8f5 Message-Authenticator = 0x91fdd4860b03ae1025d6e73ecdf84066 Service-Type = Framed-User # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [suffix] No '@' in User-Name = "david", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 107 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020600401a0206003b3112b4209f124984f92b075546de073933000000000000000039ed468ed39b9ea9c80c36f27352837de7188490d5e2bb0f006461766964 server { PEAP: Setting User-Name to david Sending tunneled request EAP-Message = 0x020600401a0206003b3112b4209f124984f92b075546de073933000000000000000039ed468ed39b9ea9c80c36f27352837de7188490d5e2bb0f006461766964 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "david" State = 0xf10600a5f1001ace9b23ed19368cfb3c server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++[mschap] returns noop [suffix] No '@' in User-Name = "david", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 6 length 64 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for david [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> david [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=david) [ldap] expand: dc=testexample,dc=com -> dc=testexample,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=testexample,dc=com, with filter (uid=david) [ldap] checking if remote access for david is allowed by dialupAccess [ldap] Added User-Password = david in check items [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] gidNumber -> GroupNumber == 5000 [ldap] userPassword -> Password-With-Header == "david" [ldap] sambaNtPassword -> NT-Password == 0x3638313238334242334639314644463837444439343235374244314232364434 [ldap] sambaLmPassword -> LM-Password == 0x3031384539333834334339423830303135303434323845323033343535353234 [ldap] looking for reply items in directory... [ldap] user david authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] Found LM-Password [mschap] Found NT-Password [mschap] Creating challenge hash with username: david [mschap] Told to do MS-CHAPv2 for david with NT-Password [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010700331a0306002e533d34384638433434424438354337434438443833464435443646434239433937343436443436464643 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf10600a5f0011ace9b23ed19368cfb3c [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010700331a0306002e533d34384638433434424438354337434438443833464435443646434239433937343436443436464643 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf10600a5f0011ace9b23ed19368cfb3c [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 129 to 10.242.254.254 port 1069 EAP-Message = 0x0107005b1900170301005048bf91fd1327fb8314e6d4c07e038702cfaa8814ab83581ae483bf1b611144a20ba892611b0c118043162b5c542a7fbde58dc11426692b35f1122abb22eef0b82c1041c29227473101d66d65436cb76b Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb6b75489b0b04dec2f9f110d6137b02e Finished request 6. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.242.254.254 port 1069, id=130, length=154 User-Name = "david" NAS-IP-Address = 10.242.254.254 State = 0xb6b75489b0b04dec2f9f110d6137b02e NAS-Port = 77 NAS-Port-Type = Ethernet Calling-Station-Id = "e4115b3ef3b4" EAP-Message = 0x0207002b19001703010020d202256d3c2bb0891a99efec94d3da6bb09d478633c902ddfadf54e75bd4c7df Message-Authenticator = 0x8ebc91b8aea6c5c3638b7beac5e2b893 Service-Type = Framed-User # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [suffix] No '@' in User-Name = "david", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020700061a03 server { PEAP: Setting User-Name to david Sending tunneled request EAP-Message = 0x020700061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "david" State = 0xf10600a5f0011ace9b23ed19368cfb3c server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++[mschap] returns noop [suffix] No '@' in User-Name = "david", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 7 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for david [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> david [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=david) [ldap] expand: dc=testexample,dc=com -> dc=testexample,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=testexample,dc=com, with filter (uid=david) [ldap] checking if remote access for david is allowed by dialupAccess [ldap] Added User-Password = david in check items [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] gidNumber -> GroupNumber == 5000 [ldap] userPassword -> Password-With-Header == "david" [ldap] sambaNtPassword -> NT-Password == 0x3638313238334242334639314644463837444439343235374244314232364434 [ldap] sambaLmPassword -> LM-Password == 0x3031384539333834334339423830303135303434323845323033343535353234 [ldap] looking for reply items in directory... [ldap] user david authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] returns ok WARNING: Empty post-auth section. Using default return values. # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel } # server inner-tunnel [peap] Got tunneled reply code 2 MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 MS-MPPE-Send-Key = 0xd5768a9870471c51047fe28f1b3229d9 MS-MPPE-Recv-Key = 0x46decfc90869e2d2f79633f605ca06d9 EAP-Message = 0x03070004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "david" [peap] Got tunneled reply RADIUS code 2 MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 MS-MPPE-Send-Key = 0xd5768a9870471c51047fe28f1b3229d9 MS-MPPE-Recv-Key = 0x46decfc90869e2d2f79633f605ca06d9 EAP-Message = 0x03070004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "david" [peap] Tunneled authentication was successful. [peap] SUCCESS ++[eap] returns handled Sending Access-Challenge of id 130 to 10.242.254.254 port 1069 EAP-Message = 0x0108002b190017030100201e7ba200cffbbd72acfcd0eb6d2577e97787a44f710efcf3b32a02ac50491694 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb6b75489b1bf4dec2f9f110d6137b02e Finished request 7. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.242.254.254 port 1069, id=131, length=154 User-Name = "david" NAS-IP-Address = 10.242.254.254 State = 0xb6b75489b1bf4dec2f9f110d6137b02e NAS-Port = 77 NAS-Port-Type = Ethernet Calling-Station-Id = "e4115b3ef3b4" EAP-Message = 0x0208002b19001703010020de6323900253dc104b02e2c016917d42b1cb751a820a5ad79a0564d2608c6ec0 Message-Authenticator = 0x9cdec88377cb87eadaf2a69ba0e0253f Service-Type = Framed-User # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [suffix] No '@' in User-Name = "david", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv success [peap] Received EAP-TLV response. [peap] Success [eap] Freeing handler ++[eap] returns ok # Executing section post-auth from file /etc/freeradius/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 131 to 10.242.254.254 port 1069 MS-MPPE-Recv-Key = 0xe992d730dbcbd150254770ade371e94428d89cea4b07b0b417c1b84f516c32e7 MS-MPPE-Send-Key = 0x7aaeeead2c715622376d59e22b6c1fa8ff322ebc53d14635e23f24fe72115cc2 EAP-Message = 0x03080004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "david" Finished request 8. Going to the next request Waking up in 4.8 seconds. Cleaning up request 0 ID 123 with timestamp +15 Cleaning up request 1 ID 124 with timestamp +15 Cleaning up request 2 ID 125 with timestamp +15 Cleaning up request 3 ID 126 with timestamp +15 Cleaning up request 4 ID 127 with timestamp +15 Cleaning up request 5 ID 1