I am trying to do EAP-PEAP, using FreeRadius 1.0.4. Here are the debug logs, at the breaking points: rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module "sql" returns ok for request 8 modcall: group authorize returns updated for request 8 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 8 rlm_mschap: Told to do MS-CHAPv2 for johnk with NT-Password rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 8 modcall: group Auth-Type returns reject for request 8 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 8 modcall: group authenticate returns reject for request 8 auth: Failed to validate the user. Login incorrect: [johnk/<no User-Password attribute>] (from client localhost port 0) PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE and again later on... eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure, rejecting. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 9 modcall: group authenticate returns invalid for request 9 auth: Failed to validate the user. Login incorrect: [johnk/<no User-Password attribute>] (from client xXxXx1100 port 821 cli 000e.35b5.eb8f) Here is how my two auth sections look: radiusd.conf: authorize { preprocess auth_log mschap eap sql } authenticate { Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } mschap eap } Here are a few excerpts from eap.conf: eap { # Invoke the default supported EAP type when # EAP-Identity response is received. # # The incoming EAP messages DO NOT specify which EAP # type they will be using, so it MUST be set here. # # For now, only one default EAP type may be used at a time. # # If the EAP-Type attribute is set by another module, # then that EAP type takes precedence over the # default type configured here. # default_eap_type = mschapv2 .... peap { # The tunneled EAP session needs a default # EAP type which is separate from the one for # the non-tunneled EAP module. Inside of the # PEAP tunnel, we recommend using MS-CHAPv2, # as that is the default type supported by # Windows clients. default_eap_type = mschapv2 } My thoughts are that SQL and MSCHAP should be in the authorization section, and MSCHAP and EAP should be in authentication. I have tried this, and it does not work for me. I really have no idea of what I am doing, although I have read the documentation. I am storing NTLM passwords in my SQL server. mysql> select * from radcheck where UserName = "johnk"; +------+----------+---------------+----+-------------------------------------------------------------------+ | id | UserName | Attribute | op | Value | +------+----------+---------------+----+-------------------------------------------------------------------+ | 1490 | johnk | User-Password | == | 0393A990E3426721695109AB020K4E1C:FBFR81520C5BDDENOTREALPASSWORD33 | +------+----------+---------------+----+-------------------------------------------------------------------+ 1 row in set (0.00 sec) (The password above has been assigned a false value) mysql> select * from usergroup where UserName = "johnk"; +------+----------+------------+ | id | UserName | GroupName | +------+----------+------------+ | 2502 | johnk | pirate | +------+----------+------------+ 1 row in set (0.01 sec) mysql> select * from radgroupreply; +----+------------+---------------------------+----+----------+------+ | id | GroupName | Attribute | op | Value | prio | +----+------------+---------------------------+----+----------+------+ | 39 | pirate | Tunnel-Medium-Type:0 | = | IEEE-802 | 0 | | 40 | pirate | Tunnel-Type:0 | = | VLAN | 0 | | 41 | pirate | Tunnel-Private-Group-ID:0 | = | 111 | 0 | +----+------------+---------------------------+----+----------+------+ 3 rows in set (0.00 sec) What can be suggested, so that my authentication phase goes as well as my authorization phase? --johnk