Thanks a lot Alan, sometime ago I commented some options in eap.conf to leave just eap-mschapv2, and also applied filter attr_filter.access_challenge.post-auth to remove some attributes in access-challenge. Also think I enabled eap in authorize/auth (i think under /etc/raddb/sites-enabled/inner-tunnel). I do not think I did more. EAP was working, EAP-start is a new use case I need to support. I have removed the access-challenge filter to check but have the same result. The full debug of the access-attmpt (0) Received Access-Request Id 5 from 10.0.87.205:64385 to 192.168.99.9:1812 length 152 (0) User-Name = "swan" (0) Acct-Session-Id = "172.172.172.40-172.20.182.6:4500-1588347078" (0) Calling-Station-Id = "172.20.182.6:4500" (0) Called-Station-Id = "172.172.172.40" (0) NAS-Port-Id = "tunnel-1.public:40" (0) NAS-Identifier = "vBNG" (0) EAP-Message = 0x (0) Message-Authenticator = 0x8cdfcf1a44d32676220a00a478daea33 (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "swan", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: Got EAP_START message (0) [eap] = handled (0) } # authorize = handled (0) There was no response configured: rejecting request (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> swan (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (0) Sending delayed response (0) Sent Access-Reject Id 5 from 192.168.99.9:1812 to 10.0.87.205:64385 length 27 (0) EAP-Message = 0x0100000501 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 5 with timestamp +15 Ready to process requests Not sure if you refer to this debug. Kind regards, Javi En viernes, 1 de mayo de 2020 15:27:57 CEST, Alan DeKok <aland@deployingradius.com> escribió: On May 1, 2020, at 8:46 AM, JAVIER SANDOVAL via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I would appreciate your help, I am not that familiar with freeradius.
That's fine.
I am using FreeRADIUS Version 3.0.20. I do not success Radius server to initiate EAP-Identity Request after START as stated in
https://wiki.freeradius.org/modules/Rlm_eap#How_Freeradius_can_handle_EAPSTA... I get a reject reject, it seems something more is needed partial log:
Full logs are generally preferred.
(0) eap: Got EAP_START message (0) [eap] = handled (0) } # authorize = handled (0) There was no response configured: rejecting request
Hmm... I haven't seen that. What did you change? The default configuration works... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html