We've been working on using Freeradius on RHEL5.4 to link a Motorola RFS6000 with Oracle OID. We've had a number of hiccoughs along the way, and solved most of them - mainly thanks to the archives of this list. We are now getting the following error: "rlm_eap_gtc: ERROR: Clear-test User-Password is required for authentication." We are running : radiusd: FreeRADIUS Version 1.1.3, for host i386-redhat-linux-gnu, built on Dec 4 2009 at 13:48:28 Which we are kind of stuck on if we want to maintain consistency with RHN. The full conversation log is long (882 lines), and with the config files this is getting long enough, but I'll post it if it will help (and apologise to the digest readers). Some pertinent bits from it, though (these all refer to a conversation that starts with request 0): Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list rlm_eap: EAP/gtc rlm_eap: processing type gtc rlm_eap_gtc: ERROR: Clear-test User-Password is required for authentication. rlm_eap: Handler failed in EAP/gtc rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 8 modcall: leaving group authenticate (returns invalid) for request 8 auth: Failed to validate the user. PEAP: Got tunneled reply RADIUS code 3 EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Processing from tunneled session code 0x977b0b0 3 EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 9 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure. User was rejcted rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 9 Here is our radiusd.conf: prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = /usr/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd log_file = ${logdir}/radius.log libdir = /usr/lib pidfile = ${run_dir}/radiusd.pid user = radiusd group = radiusd max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = * port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = no log_auth = no log_auth_badpass = no log_auth_goodpass = no usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = yes $INCLUDE ${confdir}/proxy.conf $INCLUDE ${confdir}/clients.conf snmp = no $INCLUDE ${confdir}/snmp.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { pap { encryption_scheme = clear } chap { authtype = CHAP } pam { pam_auth = radiusd } unix { shadow = /etc/shadow radwtmp = ${logdir}/radwtmp } $INCLUDE ${confdir}/eap.conf mschap { } ldap { server = "stingaree.bbs.bunnings.com.au" port = 3061 identity = "cn=bglpdtven,cn=users,dc=bbs,dc=bunnings,dc=com,dc=au" password = XXXXXXXXXXX basedn = "dc=bbs,dc=bunnings,dc=com,dc=au" filter = "(uid=%u)" base_filter = "(objectclass=radiusprofile)" start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_attribute = "OrclPassword" groupname_attribute = cn groupmembership_filter = "(|(&(objectClass=group)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUn iqueNames)(uniquemember=%{Ldap-UserDn})))" groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 } realm IPASS { format = prefix delimiter = "/" ignore_default = no ignore_null = no } realm suffix { format = suffix delimiter = "@" ignore_default = no ignore_null = no } realm realmpercent { format = suffix delimiter = "%" ignore_default = no ignore_null = no } realm ntdomain { format = prefix delimiter = "\\" ignore_default = no ignore_null = no } checkval { item-name = Calling-Station-Id check-name = Calling-Station-Id data-type = string } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users preproxy_usersfile = ${confdir}/preproxy_users compat = no } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 } detail auth_log { detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d detailperm = 0600 } detail reply_log { detailfile = ${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d detailperm = 0600 } acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } radutmp { filename = ${logdir}/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 0600 callerid = "yes" } radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = "no" } attr_filter { attrsfile = ${confdir}/attrs } counter daily { filename = ${raddbdir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } sqlcounter dailycounter { counter-name = Daily-Session-Time check-name = Max-Daily-Session sqlmod-inst = sql key = User-Name reset = daily query = "SELECT SUM(AcctSessionTime - \ GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \ FROM radacct WHERE UserName='%{%k}' AND \ UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" } sqlcounter monthlycounter { counter-name = Monthly-Session-Time check-name = Max-Monthly-Session sqlmod-inst = sql key = User-Name reset = monthly query = "SELECT SUM(AcctSessionTime - \ GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \ FROM radacct WHERE UserName='%{%k}' AND \ UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" } always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } expr { } digest { } exec { wait = yes input_pairs = request } exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = request output_pairs = reply } ippool main_pool { range-start = 192.168.1.1 range-stop = 192.168.3.254 netmask = 255.255.255.0 cache-size = 800 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex override = no maximum-timeout = 0 } } instantiate { exec expr } authorize { preprocess suffix eap files ldap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix Auth-Type LDAP { ldap } eap } preacct { preprocess acct_unique suffix files } accounting { detail unix radutmp } session { radutmp } post-auth { } pre-proxy { } post-proxy { } And our eap.conf: eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } leap { } gtc { auth_type = Local } tls { private_key_password = XXXXXXXXXXXXXX private_key_file = /etc/raddb/certs/bunnings-key.pem certificate_file = /etc/raddb/certs/bunnings-cert.pem CA_path = /etc/raddb/certs/CA CA_file = /etc/raddb/certs/CA/bunnings-ca.crt dh_file = /etc/raddb/certs/dh random_file = /etc/raddb/certs/random fragment_size = 1024 include_length = yes cipher_list = "DEFAULT" } peap { default_eap_type = mschapv2 } mschapv2 { } } And our users file: DEFAULT Auth-Type = LDAP Fall-Through = Yes DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "CSLIP" Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "SLIP" Framed-Protocol = SLIP Unix Systems Administrator Bunnings Group Limited 126 Pilbara Street, Welshpool WA 6106 Locked Bag 20, Welshpool WA 6986 Phone : (08) 9365-1507 Fax : (08) 9358-6054 E-mail : rmasters@bunnings.com.au Website : www.bunnings.com.au ************************************************************************ Bunnings Legal Disclaimer: 1) This email is confidential and may contain legally privileged information. If you are not the intended recipient, you must not disclose or use the information contained in it. If you have received this email in error, please notify us immediately by return email and delete the document. 2) All emails sent to and sent from Bunnings Group Limited. are scanned for content. Any material deemed to contain inappropriate subject matter will be reported to the email administrator of all parties concerned. ************************************************************************