Hello, I am trying to configure the above. Here is what I have done so far. 1) Cisco WLC was configured 2) freeradius 3.0 was installed on a Debian machine a) Cisco WLC IPv4 address was added as a client to freeradius /etc/freeradius/3.0/clients.conf b) A few local users were added to users file /etc/freeradius/3.0/users 3) whenever I try to use the below command on WLC test aaa group radius joe.doe pa44w0rd new-code I am successfully authenticated. However this is going as PAP. 4) any request from the wifi client is not going through cause it is PEAP-MSCHAP Currently 'freeradius -X' gives me the following (39) Cisco-AVPair = "vlan-id=101" (39) NAS-IP-Address = 172.16.100.10 (39) NAS-Port-Id = "capwap_90000004" (39) NAS-Port-Type = Wireless-802.11 (39) NAS-Port = 5 (39) State = 0x8afb70f28ffc69b5cf854ba7abc363a9 (39) Cisco-AVPair = "cisco-wlan-ssid=NEFO1x" (39) Cisco-AVPair = "wlan-profile-name=NEFO-802.1x" (39) Called-Station-Id = "24-36-da-17-30-00:NEFO1x" (39) Calling-Station-Id = "7a-be-3e-4d-a8-62" (39) Airespace-Wlan-Id = 4 (39) NAS-Identifier = "WLC9120-NEFO" (39) WLAN-Group-Cipher = 1027076 (39) WLAN-Pairwise-Cipher = 1027076 (39) WLAN-AKM-Suite = 1027075 (39) WLAN-Group-Mgmt-Cipher = 1027078 (39) session-state: No cached attributes (39) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (39) authorize { (39) policy filter_username { (39) if (&User-Name) { (39) if (&User-Name) -> TRUE (39) if (&User-Name) { (39) if (&User-Name =~ / /) { (39) if (&User-Name =~ / /) -> FALSE (39) if (&User-Name =~ /@[^@]*@/ ) { (39) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (39) if (&User-Name =~ /\.\./ ) { (39) if (&User-Name =~ /\.\./ ) -> FALSE (39) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (39) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (39) if (&User-Name =~ /\.$/) { (39) if (&User-Name =~ /\.$/) -> FALSE (39) if (&User-Name =~ /@\./) { (39) if (&User-Name =~ /@\./) -> FALSE (39) } # if (&User-Name) = notfound (39) } # policy filter_username = notfound (39) [preprocess] = ok (39) [chap] = noop (39) [mschap] = noop (39) [digest] = noop (39) suffix: Checking for suffix after "@" (39) suffix: No '@' in User-Name = "joe.doe", looking up realm NULL (39) suffix: No such realm "NULL" (39) [suffix] = noop (39) eap: Peer sent EAP Response (code 2) ID 7 length 51 (39) eap: Continuing tunnel setup (39) [eap] = ok (39) } # authorize = ok (39) Found Auth-Type = eap (39) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (39) authenticate { (39) eap: Expiring EAP session with state 0x8afb70f28ffc69b5 (39) eap: Finished EAP session with state 0x8afb70f28ffc69b5 (39) eap: Previous EAP request found for state 0x8afb70f28ffc69b5, released from the list (39) eap: Peer sent packet with method EAP PEAP (25) (39) eap: Calling submodule eap_peap to process data (39) eap_peap: Continuing EAP-TLS (39) eap_peap: [eaptls verify] = ok (39) eap_peap: Done initial handshake (39) eap_peap: [eaptls process] = ok (39) eap_peap: Session established. Decoding tunneled attributes (39) eap_peap: PEAP state WAITING FOR INNER IDENTITY (39) eap_peap: Identity - joe.doe (39) eap_peap: Got inner identity 'joe.doe' (39) eap_peap: Setting default EAP type for tunneled EAP session (39) eap_peap: Got tunneled request (39) eap_peap: EAP-Message = 0x02070014016d616369656a2e77616c69737a6b6f (39) eap_peap: Setting User-Name to joe.doe (39) eap_peap: Sending tunneled request to inner-tunnel (39) eap_peap: EAP-Message = 0x02070014016d616369656a2e77616c69737a6b6f (39) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (39) eap_peap: User-Name = "joe.doe" (39) Virtual server inner-tunnel received request (39) EAP-Message = 0x02070014016d616369656a2e77616c69737a6b6f (39) FreeRADIUS-Proxied-To = 127.0.0.1 (39) User-Name = "joe.doe" (39) WARNING: Outer and inner identities are the same. User privacy is compromised. (39) server inner-tunnel { (39) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (39) authorize { (39) policy filter_username { (39) if (&User-Name) { (39) if (&User-Name) -> TRUE (39) if (&User-Name) { (39) if (&User-Name =~ / /) { (39) if (&User-Name =~ / /) -> FALSE (39) if (&User-Name =~ /@[^@]*@/ ) { (39) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (39) if (&User-Name =~ /\.\./ ) { (39) if (&User-Name =~ /\.\./ ) -> FALSE (39) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (39) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (39) if (&User-Name =~ /\.$/) { (39) if (&User-Name =~ /\.$/) -> FALSE (39) if (&User-Name =~ /@\./) { (39) if (&User-Name =~ /@\./) -> FALSE (39) } # if (&User-Name) = notfound (39) } # policy filter_username = notfound (39) [chap] = noop (39) [mschap] = noop (39) suffix: Checking for suffix after "@" (39) suffix: No '@' in User-Name = "joe.doe", looking up realm NULL (39) suffix: No such realm "NULL" (39) [suffix] = noop (39) update control { (39) &Proxy-To-Realm := LOCAL (39) } # update control = noop (39) eap: Peer sent EAP Response (code 2) ID 7 length 20 (39) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (39) [eap] = ok (39) } # authorize = ok (39) Found Auth-Type = eap (39) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (39) authenticate { (39) eap: Peer sent packet with method EAP Identity (1) (39) eap: Calling submodule eap_mschapv2 to process data (39) eap_mschapv2: Issuing Challenge (39) eap: Sending EAP Request (code 1) ID 8 length 43 (39) eap: EAP session adding &reply:State = 0xa779f0bba771eab5 (39) [eap] = handled (39) } # authenticate = handled (39) } # server inner-tunnel (39) Virtual server sending reply (39) EAP-Message = 0x0108002b1a01080026102e31c720efcc97f1b1344319c2717f10667265657261646975732d332e302e3137 (39) Message-Authenticator = 0x00000000000000000000000000000000 (39) State = 0xa779f0bba771eab5fa1472a70f642a70 (39) eap_peap: Got tunneled reply code 11 (39) eap_peap: EAP-Message = 0x0108002b1a01080026102e31c720efcc97f1b1344319c2717f10667265657261646975732d332e302e3137 (39) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (39) eap_peap: State = 0xa779f0bba771eab5fa1472a70f642a70 (39) eap_peap: Got tunneled reply RADIUS code 11 (39) eap_peap: EAP-Message = 0x0108002b1a01080026102e31c720efcc97f1b1344319c2717f10667265657261646975732d332e302e3137 (39) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (39) eap_peap: State = 0xa779f0bba771eab5fa1472a70f642a70 (39) eap_peap: Got tunneled Access-Challenge (39) eap: Sending EAP Request (code 1) ID 8 length 74 (39) eap: EAP session adding &reply:State = 0x8afb70f28cf369b5 (39) [eap] = handled (39) } # authenticate = handled (39) Using Post-Auth-Type Challenge (39) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (39) Challenge { ... } # empty sub-section is ignored (39) Sent Access-Challenge Id 249 from 10.222.34.11:1812 to 172.16.100.10:65092 length 0 (39) EAP-Message = 0x0108004a1900170303003fcc5b8334628ab37aa89b123da75ca7c75fd530ecc021320acc07bdc59b19d161f36ee6151578b5fa7487e0d86eb2dee898bde53e74baca61f9c67ccd045dc0 (39) Message-Authenticator = 0x00000000000000000000000000000000 (39) State = 0x8afb70f28cf369b5cf854ba7abc363a9 (39) Finished request Waking up in 4.9 seconds. (38) Cleaning up request packet ID 248 with timestamp +985 (40) Received Access-Request Id 248 from 172.16.100.10:65092 to 10.222.34.11:1812 length 538 (40) User-Name = "joe.doe" (40) Service-Type = Framed-User (40) Cisco-AVPair = "service-type=Framed" (40) Framed-MTU = 1485 (40) EAP-Message = 0x020800691900170303005e89bf7fdf3bb86e3e467aef6b8988848fce28ba903c8c18014db6390e35aea1dfefd7abf64b8bc29c5f574a83dc3a850169b6de84430922b3617bbd5bef2f8ab879603c7c43c1940ed4e61b724f2bfde0d24c7f7c8fc3eb9c05f74ce8cccd (40) Message-Authenticator = 0x928deedf5800d89e75d47b6c4ff5f004 (40) Cisco-AVPair = "audit-session-id=0A6410AC00001FAE74DE0A43" (40) Cisco-AVPair = "method=dot1x" (40) Cisco-AVPair = "client-iif-id=2852134698" (40) Cisco-AVPair = "vlan-id=101" (40) NAS-IP-Address = 172.16.100.10 (40) NAS-Port-Id = "capwap_90000004" (40) NAS-Port-Type = Wireless-802.11 (40) NAS-Port = 5 (40) State = 0x8afb70f28cf369b5cf854ba7abc363a9 (40) Cisco-AVPair = "cisco-wlan-ssid=NEFO1x" (40) Cisco-AVPair = "wlan-profile-name=NEFO-802.1x" (40) Called-Station-Id = "24-36-da-17-30-00:NEFO1x" (40) Calling-Station-Id = "7a-be-3e-4d-a8-62" (40) Airespace-Wlan-Id = 4 (40) NAS-Identifier = "WLC9120-NEFO" (40) WLAN-Group-Cipher = 1027076 (40) WLAN-Pairwise-Cipher = 1027076 (40) WLAN-AKM-Suite = 1027075 (40) WLAN-Group-Mgmt-Cipher = 1027078 (40) session-state: No cached attributes (40) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (40) authorize { (40) policy filter_username { (40) if (&User-Name) { (40) if (&User-Name) -> TRUE (40) if (&User-Name) { (40) if (&User-Name =~ / /) { (40) if (&User-Name =~ / /) -> FALSE (40) if (&User-Name =~ /@[^@]*@/ ) { (40) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (40) if (&User-Name =~ /\.\./ ) { (40) if (&User-Name =~ /\.\./ ) -> FALSE (40) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (40) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (40) if (&User-Name =~ /\.$/) { (40) if (&User-Name =~ /\.$/) -> FALSE (40) if (&User-Name =~ /@\./) { (40) if (&User-Name =~ /@\./) -> FALSE (40) } # if (&User-Name) = notfound (40) } # policy filter_username = notfound (40) [preprocess] = ok (40) [chap] = noop (40) [mschap] = noop (40) [digest] = noop (40) suffix: Checking for suffix after "@" (40) suffix: No '@' in User-Name = "joe.doe", looking up realm NULL (40) suffix: No such realm "NULL" (40) [suffix] = noop (40) eap: Peer sent EAP Response (code 2) ID 8 length 105 (40) eap: Continuing tunnel setup (40) [eap] = ok (40) } # authorize = ok (40) Found Auth-Type = eap (40) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (40) authenticate { (40) eap: Expiring EAP session with state 0xa779f0bba771eab5 (40) eap: Finished EAP session with state 0x8afb70f28cf369b5 (40) eap: Previous EAP request found for state 0x8afb70f28cf369b5, released from the list (40) eap: Peer sent packet with method EAP PEAP (25) (40) eap: Calling submodule eap_peap to process data (40) eap_peap: Continuing EAP-TLS (40) eap_peap: [eaptls verify] = ok (40) eap_peap: Done initial handshake (40) eap_peap: [eaptls process] = ok (40) eap_peap: Session established. Decoding tunneled attributes (40) eap_peap: PEAP state phase2 (40) eap_peap: EAP method MSCHAPv2 (26) (40) eap_peap: Got tunneled request (40) eap_peap: EAP-Message = 0x0208004a1a0208004531ac16e2ad0f43ee8ec9bdd2aad3c5deda0000000000000000e4fff9f3543da30667451659b4a7598166306e0f8b66215c006d616369656a2e77616c69737a6b6f (40) eap_peap: Setting User-Name to joe.doe (40) eap_peap: Sending tunneled request to inner-tunnel (40) eap_peap: EAP-Message = 0x0208004a1a0208004531ac16e2ad0f43ee8ec9bdd2aad3c5deda0000000000000000e4fff9f3543da30667451659b4a7598166306e0f8b66215c006d616369656a2e77616c69737a6b6f (40) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (40) eap_peap: User-Name = "joe.doe" (40) eap_peap: State = 0xa779f0bba771eab5fa1472a70f642a70 (40) Virtual server inner-tunnel received request (40) EAP-Message = 0x0208004a1a0208004531ac16e2ad0f43ee8ec9bdd2aad3c5deda0000000000000000e4fff9f3543da30667451659b4a7598166306e0f8b66215c006d616369656a2e77616c69737a6b6f (40) FreeRADIUS-Proxied-To = 127.0.0.1 (40) User-Name = "joe.doe" (40) State = 0xa779f0bba771eab5fa1472a70f642a70 (40) WARNING: Outer and inner identities are the same. User privacy is compromised. (40) server inner-tunnel { (40) session-state: No cached attributes (40) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (40) authorize { (40) policy filter_username { (40) if (&User-Name) { (40) if (&User-Name) -> TRUE (40) if (&User-Name) { (40) if (&User-Name =~ / /) { (40) if (&User-Name =~ / /) -> FALSE (40) if (&User-Name =~ /@[^@]*@/ ) { (40) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (40) if (&User-Name =~ /\.\./ ) { (40) if (&User-Name =~ /\.\./ ) -> FALSE (40) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (40) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (40) if (&User-Name =~ /\.$/) { (40) if (&User-Name =~ /\.$/) -> FALSE (40) if (&User-Name =~ /@\./) { (40) if (&User-Name =~ /@\./) -> FALSE (40) } # if (&User-Name) = notfound (40) } # policy filter_username = notfound (40) [chap] = noop (40) [mschap] = noop (40) suffix: Checking for suffix after "@" (40) suffix: No '@' in User-Name = "joe.doe", looking up realm NULL (40) suffix: No such realm "NULL" (40) [suffix] = noop (40) update control { (40) &Proxy-To-Realm := LOCAL (40) } # update control = noop (40) eap: Peer sent EAP Response (code 2) ID 8 length 74 (40) eap: No EAP Start, assuming it's an on-going EAP conversation (40) [eap] = updated (40) files: users: Matched entry joe.doe at line 91 (40) [files] = ok rlm_ldap (ldap): Reserved connection (17) (40) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (40) ldap: --> (uid=joe.doe) (40) ldap: Performing search in "dc=netformers,dc=local" with filter "(uid=joe.doe)", scope "sub" (40) ldap: Waiting for search result... (40) ldap: User object found at DN "uid=joe.doe,dc=netformers,dc=local" (40) ldap: Processing user attributes rlm_ldap (ldap): Released connection (17) (40) [ldap] = ok (40) [expiration] = noop (40) [logintime] = noop (40) pap: WARNING: Auth-Type already set. Not setting to PAP (40) [pap] = noop (40) } # authorize = updated (40) Found Auth-Type = eap (40) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (40) authenticate { (40) eap: Expiring EAP session with state 0xa779f0bba771eab5 (40) eap: Finished EAP session with state 0xa779f0bba771eab5 (40) eap: Previous EAP request found for state 0xa779f0bba771eab5, released from the list (40) eap: Peer sent packet with method EAP MSCHAPv2 (26) (40) eap: Calling submodule eap_mschapv2 to process data (40) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (40) eap_mschapv2: authenticate { (40) mschap: Found Cleartext-Password, hashing to create NT-Password (40) mschap: Found Cleartext-Password, hashing to create LM-Password (40) mschap: Creating challenge hash with username: joe.doe (40) mschap: Client is using MS-CHAPv2 (40) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}: (40) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} (40) mschap: --> --username=joe.doe (40) mschap: Creating challenge hash with username: joe.doe (40) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00} (40) mschap: --> --challenge=ab5d475d8e18b55f (40) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00} (40) mschap: --> --nt-response=e4fff9f3543da30667451659b4a7598166306e0f8b66215c (40) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)' (40) mschap: External script failed (40) mschap: ERROR: External script says: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d) (40) mschap: ERROR: MS-CHAP2-Response is incorrect (40) [mschap] = reject (40) } # authenticate = reject (40) eap: Sending EAP Failure (code 4) ID 8 length 4 (40) eap: Freeing handler (40) [eap] = reject (40) } # authenticate = reject (40) Failed to authenticate the user (40) Using Post-Auth-Type Reject (40) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (40) Post-Auth-Type REJECT { (40) attr_filter.access_reject: EXPAND %{User-Name} (40) attr_filter.access_reject: --> joe.doe (40) attr_filter.access_reject: Matched entry DEFAULT at line 11 (40) [attr_filter.access_reject] = updated (40) update outer.session-state { (40) &Module-Failure-Message := &request:Module-Failure-Message -> 'mschap: Program returned code (1) and output \'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)\'' (40) } # update outer.session-state = noop (40) } # Post-Auth-Type REJECT = updated (40) } # server inner-tunnel (40) Virtual server sending reply (40) MS-CHAP-Error = "\010E=691 R=1 C=1985ba6f4d3735081b98c08700af1b01 V=3 M=Authentication rejected" (40) EAP-Message = 0x04080004 (40) Message-Authenticator = 0x00000000000000000000000000000000 (40) eap_peap: Got tunneled reply code 3 (40) eap_peap: MS-CHAP-Error = "\010E=691 R=1 C=1985ba6f4d3735081b98c08700af1b01 V=3 M=Authentication rejected" (40) eap_peap: EAP-Message = 0x04080004 (40) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (40) eap_peap: Got tunneled reply RADIUS code 3 (40) eap_peap: MS-CHAP-Error = "\010E=691 R=1 C=1985ba6f4d3735081b98c08700af1b01 V=3 M=Authentication rejected" (40) eap_peap: EAP-Message = 0x04080004 (40) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (40) eap_peap: Tunneled authentication was rejected (40) eap_peap: FAILURE (40) eap: Sending EAP Request (code 1) ID 9 length 46 (40) eap: EAP session adding &reply:State = 0x8afb70f28df269b5 (40) [eap] = handled (40) } # authenticate = handled (40) Using Post-Auth-Type Challenge (40) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (40) Challenge { ... } # empty sub-section is ignored (40) session-state: Saving cached attributes (40) Module-Failure-Message := "mschap: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)'" (40) Sent Access-Challenge Id 248 from 10.222.34.11:1812 to 172.16.100.10:65092 length 0 (40) EAP-Message = 0x0109002e19001703030023cc5b8334628ab37bb472f1e4b99ece77d59027ce510b3ac1d5025c03cc60b794d73259 (40) Message-Authenticator = 0x00000000000000000000000000000000 (40) State = 0x8afb70f28df269b5cf854ba7abc363a9 (40) Finished request Waking up in 4.9 seconds. (39) Cleaning up request packet ID 249 with timestamp +985 (41) Received Access-Request Id 249 from 172.16.100.10:65092 to 10.222.34.11:1812 length 479 (41) User-Name = "joe.doe" (41) Service-Type = Framed-User (41) Cisco-AVPair = "service-type=Framed" (41) Framed-MTU = 1485 (41) EAP-Message = 0x0209002e1900170303002389bf7fdf3bb86e3fb7a4f82750437b28a44f01b7420ad299cf3bc0490d9e73ab33590b (41) Message-Authenticator = 0xa8d0b6155902a4394dfc46e21888f099 (41) Cisco-AVPair = "audit-session-id=0A6410AC00001FAE74DE0A43" (41) Cisco-AVPair = "method=dot1x" (41) Cisco-AVPair = "client-iif-id=2852134698" (41) Cisco-AVPair = "vlan-id=101" (41) NAS-IP-Address = 172.16.100.10 (41) NAS-Port-Id = "capwap_90000004" (41) NAS-Port-Type = Wireless-802.11 (41) NAS-Port = 5 (41) State = 0x8afb70f28df269b5cf854ba7abc363a9 (41) Cisco-AVPair = "cisco-wlan-ssid=NEFO1x" (41) Cisco-AVPair = "wlan-profile-name=NEFO-802.1x" (41) Called-Station-Id = "24-36-da-17-30-00:NEFO1x" (41) Calling-Station-Id = "7a-be-3e-4d-a8-62" (41) Airespace-Wlan-Id = 4 (41) NAS-Identifier = "WLC9120-NEFO" (41) WLAN-Group-Cipher = 1027076 (41) WLAN-Pairwise-Cipher = 1027076 (41) WLAN-AKM-Suite = 1027075 (41) WLAN-Group-Mgmt-Cipher = 1027078 (41) Restoring &session-state (41) &session-state:Module-Failure-Message := "mschap: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)'" (41) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (41) authorize { (41) policy filter_username { (41) if (&User-Name) { (41) if (&User-Name) -> TRUE (41) if (&User-Name) { (41) if (&User-Name =~ / /) { (41) if (&User-Name =~ / /) -> FALSE (41) if (&User-Name =~ /@[^@]*@/ ) { (41) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (41) if (&User-Name =~ /\.\./ ) { (41) if (&User-Name =~ /\.\./ ) -> FALSE (41) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (41) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (41) if (&User-Name =~ /\.$/) { (41) if (&User-Name =~ /\.$/) -> FALSE (41) if (&User-Name =~ /@\./) { (41) if (&User-Name =~ /@\./) -> FALSE (41) } # if (&User-Name) = notfound (41) } # policy filter_username = notfound (41) [preprocess] = ok (41) [chap] = noop (41) [mschap] = noop (41) [digest] = noop (41) suffix: Checking for suffix after "@" (41) suffix: No '@' in User-Name = "joe.doe", looking up realm NULL (41) suffix: No such realm "NULL" (41) [suffix] = noop (41) eap: Peer sent EAP Response (code 2) ID 9 length 46 (41) eap: Continuing tunnel setup (41) [eap] = ok (41) } # authorize = ok (41) Found Auth-Type = eap (41) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (41) authenticate { (41) eap: Expiring EAP session with state 0x8afb70f28df269b5 (41) eap: Finished EAP session with state 0x8afb70f28df269b5 (41) eap: Previous EAP request found for state 0x8afb70f28df269b5, released from the list (41) eap: Peer sent packet with method EAP PEAP (25) (41) eap: Calling submodule eap_peap to process data (41) eap_peap: Continuing EAP-TLS (41) eap_peap: [eaptls verify] = ok (41) eap_peap: Done initial handshake (41) eap_peap: [eaptls process] = ok (41) eap_peap: Session established. Decoding tunneled attributes (41) eap_peap: PEAP state send tlv failure (41) eap_peap: Received EAP-TLV response (41) eap_peap: ERROR: The users session was previously rejected: returning reject (again.) (41) eap_peap: This means you need to read the PREVIOUS messages in the debug output (41) eap_peap: to find out the reason why the user was rejected (41) eap_peap: Look for "reject" or "fail". Those earlier messages will tell you (41) eap_peap: what went wrong, and how to fix the problem (41) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed (41) eap: Sending EAP Failure (code 4) ID 9 length 4 (41) eap: Failed in EAP select (41) [eap] = invalid (41) } # authenticate = invalid (41) Failed to authenticate the user (41) Using Post-Auth-Type Reject (41) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (41) Post-Auth-Type REJECT { (41) attr_filter.access_reject: EXPAND %{User-Name} (41) attr_filter.access_reject: --> joe.doe (41) attr_filter.access_reject: Matched entry DEFAULT at line 11 (41) [attr_filter.access_reject] = updated (41) [eap] = noop (41) policy remove_reply_message_if_eap { (41) if (&reply:EAP-Message && &reply:Reply-Message) { (41) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (41) else { (41) [noop] = noop (41) } # else = noop (41) } # policy remove_reply_message_if_eap = noop (41) } # Post-Auth-Type REJECT = updated (41) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (41) Sending delayed response (41) Sent Access-Reject Id 249 from 10.222.34.11:1812 to 172.16.100.10:65092 length 44 (41) EAP-Message = 0x04090004 (41) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. Can anyone shed some light on this and point me in the right direction what else should I do? All the examples I am able to find on the internet are using AD/samba as database for freeradius which is not the case here.