Hi all I am still determined to make this work and have now reinstalled everything to start again with prior lessons learned. However - I am still unable to authenticate wireless clients by PEAP or TTLS MSCHAPv2 on a cisco access point (IP=192.168.0.98) with radius running on a MAC OSX server (IP=192.168.0.90) NOW Radtest works fine returning rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=237, length=20 AND if clients authenticate using only one protocol LEAP or TLS alone then authentication is also successful and an IP address assigned But if the client machine has protocols for authentication as TLS PEAP TTLS and EAP-FAST then the authentication fails with output as below Your help/insight would be greatly appreciated Thanks RADIUSD -X output during failed authentication by a client machine user name BBB password bbb1 (As mentioned: Cisco access point IP=192.168.0.98 and freeradius running on a MAC OSX server IP=192.168.0.90) rad_recv: Access-Request packet from host 192.168.0.98 port 1645, id=216, length=129 User-Name = "BBB" Framed-MTU = 1400 Called-Station-Id = "0023.331c.9680" Calling-Station-Id = "9027.e4f9.25b0" Service-Type = Login-User Message-Authenticator = 0x97a3bddfd63906e3230b58166cccdbd3 EAP-Message = 0x0201000801424242 NAS-Port-Type = Wireless-802.11 NAS-Port = 2113 NAS-Port-Id = "2113" NAS-IP-Address = 192.168.0.98 NAS-Identifier = "ap1250" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "BBB", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 8 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns updated [files] users: Matched entry BBB at line 1 ++[files] returns ok rlm_opendirectory: The SACL group "com.apple.access_radius" does not exist on this system. rlm_opendirectory: The host 192.168.0.98 does not have an access group. rlm_opendirectory: no access control groups, all users allowed. ++[opendirectory] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 216 to 192.168.0.98 port 1645 EAP-Message = 0x010200061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x8da1c3b98da3d6d5f63e6480350916ec Finished request 63. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.98 port 1645, id=217, length=303 User-Name = "BBB" Framed-MTU = 1400 Called-Station-Id = "0023.331c.9680" Calling-Station-Id = "9027.e4f9.25b0" Service-Type = Login-User Message-Authenticator = 0x90d79354ab3708574c402c920154a72e EAP-Message = 0x020200a415800000009a16030100950100009103014e644aee06b1089ec2d1b1077222c6bb2c8d08967a8f07d3c2260773e8342cea000056c00ac009c007c008c013c014c011c012c004c005c002c003c00ec00fc00cc00d002f000500040035000a000900030008000600320033003800390016001500140013001200110034003a0018001b001a00170019000101000012000a00080006001700180019000b00020100 NAS-Port-Type = Wireless-802.11 NAS-Port = 2113 NAS-Port-Id = "2113" State = 0x8da1c3b98da3d6d5f63e6480350916ec NAS-IP-Address = 192.168.0.98 NAS-Identifier = "ap1250" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "BBB", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 164 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 154 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] (other): before/accept initialization [ttls] TLS_accept: before/accept initialization [ttls] <<< TLS 1.0 Handshake [length 0095], ClientHello [ttls] TLS_accept: SSLv3 read client hello A [ttls] >>> TLS 1.0 Handshake [length 002a], ServerHello [ttls] TLS_accept: SSLv3 write server hello A [ttls] >>> TLS 1.0 Handshake [length 085e], Certificate [ttls] TLS_accept: SSLv3 write certificate A [ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [ttls] TLS_accept: SSLv3 write server done A [ttls] TLS_accept: SSLv3 flush data [ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 217 to 192.168.0.98 port 1645 EAP-Message = 0x0103040015c00000089b160301002a0200002603014e644aee10bdb60175c5117db3847fb794d60733f2c59fca91d5975050c9126400002f00160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479 EAP-Message = 0x301e170d3131303930353030353832335a170d3132303930343030353832335a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100a109405f25ca3b79e92c7801522fdd70caaa0b59075649db3171741ef29502438b01f69a6a9689972a67c2b00d8c20eeaabd3e07e00fae0a0946ac7e6c18 EAP-Message = 0xa543830a284f122814970db75cab444c8e2a6d857f8cdfacfbd6e38a268d1f3309a9f81d0ee86a856790beccd992c6e4ffe767a6a58aa2cfe00ddfc7710f621d73ff60599540f36dc9c45984dd58a2686858f81b00954cf1912236c1790c7a537de0c2534f79db99adcc65f999c5228ca865db465702dcc737416064f85e7c042f3c6499256a973106c8be19c1c1f62c19fa9ce2ac5e10fc945da5f4b09d9d41bee647544de173ac682fa789c814197d37ba7dd7d5abb655453b2a1ab9f0a7c9d6470203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000382010100172dacb8d429d1ff6e EAP-Message = 0x0025c67c6a98a08669f0b27cd7c7fc4c3216b71902917801755db94ef25728746e66c6d92973e0281b2050c717be87ccf1beeff37ae8d0c62389e2ec23f360934efe09aed67aa355f69330b38178ec7ef5c267000d83d09cf07bd23c26608a7e73ecd38b01d8c7f1572f197f226d1cff0f3bd7ff8fcc15bdd69e784812a508a1e6ad66ab1ce1bb73201755aa7458e2dca57fff5b0cb98c30946e4f887cdccfaca32ed4c8c9a3d081fab7c0170412dc42cb557a2fd8b868f906bd354e85e16e63a0f6401210c2738a6589c7f39aced44d424bb96d78955e3f9f13d85b579a864a7853c5b7a081ea078bf344a6b8ff93b1ef5d99a6579c4a0004ab308204 EAP-Message = 0xa73082038fa0030201020209 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x8da1c3b98ca2d6d5f63e6480350916ec Finished request 64. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.98 port 1645, id=218, length=145 User-Name = "BBB" Framed-MTU = 1400 Called-Station-Id = "0023.331c.9680" Calling-Station-Id = "9027.e4f9.25b0" Service-Type = Login-User Message-Authenticator = 0xbc49acdf46e9f7392e95984b40d81b60 EAP-Message = 0x020300061500 NAS-Port-Type = Wireless-802.11 NAS-Port = 2113 NAS-Port-Id = "2113" State = 0x8da1c3b98ca2d6d5f63e6480350916ec NAS-IP-Address = 192.168.0.98 NAS-Identifier = "ap1250" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "BBB", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 218 to 192.168.0.98 port 1645 EAP-Message = 0x0104040015c00000089b00ce558c5613e23e34300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3131303930353030353832335a170d3132303930343030353832335a308193310b3009060355040613024652310f300d0603550408130652616469757331123010 EAP-Message = 0x06035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100d587b88ec0b9cd885aa0e746855a0dfd9e022630cca789c7d74147c0d47f126f5bb2beccfd886811782b65af565946b5e8391c975faf0ec63e923f67922bf34c402a64765ab21ebd5daeeb8b5ec2d38c358f7f31f4afe42835dfb6e7ad418575c12bb8bb5ebeff32ffe654 EAP-Message = 0xda315990bea2ebf04a490269e79b617434dd6a4f028ad10c37f4117a52530ba5c1f16955db65ac3ae29b28edc5686f63aef4253fdc42423845687567dca3244a3573ab3ee1821fb63b889defb0411b4162f370d54049cb89e10323d038eee8900ee0ce36f9e06b5fdd6069a0798a50c358c532d592b224d3ce37f2497d653aebd10961d10de6764462f09cb2c2aa4013c99f11b8930203010001a381fb3081f8301d0603551d0e041604143814889e8f16c470dabd8d16540c6e06dd7ca86f3081c80603551d230481c03081bd80143814889e8f16c470dabd8d16540c6e06dd7ca86fa18199a48196308193310b3009060355040613024652310f300d EAP-Message = 0x060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900ce558c5613e23e34300c0603551d13040530030101ff300d06092a864886f70d010105050003820101005a445d2e471625992a0cd0df69008711b837412cbc11949a2b90e0835110517611a3fdc1924c0d74e9d39ed41867e5cd71080c731960fbe76b0b0065b4916af05175e76d024f60a79738b89fc4ff EAP-Message = 0x2531435e631293fe8f22a8f6 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x8da1c3b98fa5d6d5f63e6480350916ec Finished request 65. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.98 port 1645, id=219, length=145 User-Name = "BBB" Framed-MTU = 1400 Called-Station-Id = "0023.331c.9680" Calling-Station-Id = "9027.e4f9.25b0" Service-Type = Login-User Message-Authenticator = 0x3e9c1e4acb4032de610b2c4a82aba6b6 EAP-Message = 0x020400061500 NAS-Port-Type = Wireless-802.11 NAS-Port = 2113 NAS-Port-Id = "2113" State = 0x8da1c3b98fa5d6d5f63e6480350916ec NAS-IP-Address = 192.168.0.98 NAS-Identifier = "ap1250" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "BBB", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 219 to 192.168.0.98 port 1645 EAP-Message = 0x010500b915800000089bb26c65dacb431b1c9e0bfb29f9c9c6093ad5e41ec29944e45c69e9cf6cf8b39a3613e540936f8023b928f6f3ac38f59688f9e6a0dee8b38ee2862e95785746880fc99058dc8ab6d2b2cff4db790b57df6a0c4bb9d0ef97b15d074e29ba4b403cf2247359aea0e458bf607002d5c1f030dca9b48b1d06b2f75f30de0c9c2062788c8491e6b2376dc9c321ebaf0d97a06ffd0286fc9d247c10ddd30ba03480eb32341a5d3eac2a16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x8da1c3b98ea4d6d5f63e6480350916ec Finished request 66. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.98 port 1645, id=220, length=477 User-Name = "BBB" Framed-MTU = 1400 Called-Station-Id = "0023.331c.9680" Calling-Station-Id = "9027.e4f9.25b0" Service-Type = Login-User Message-Authenticator = 0x1190157aa20ebeb87d3147073d614d51 EAP-Message = 0x0205015015800000014616030101061000010201005be8e37164b0394eda3c8aeffe0e90be053dd55d7371c0146e5e18c69de2a989e4566d073ecd5bb91873428e36ff5d4538af1e276f507648ede7c14e1d0513e9c869f0a49a756303420f3d3efbab64ca606ab79741fe099ee94f70f4601e22697d2f828480d2c211cd880122530ba52eabc60f6ace0c3d1eee2cb2b999d8f58a3bb5f16fe8828e83c07d09194add2c8fb1b7af0817555935d36c681f35b548272f36a71bf12c5b018fe729343fc0bc7f82269e92465479623e489d757f4c8b9cf5b30f21b11fb2066a1eacc8376ff307027de1bc21a87187c49c7c25fdf77253e9382c4cc8b36186 EAP-Message = 0x5846b663d4b689d55d3a34912da4f9b07698a4e7da5e89a21403010001011603010030bab04f465e9d3b4200b1d2dbd55e6bd2c728eb97cbcdd3fc27104654a546dc22944b34d7d482e18fde0a9f549f5f2253 NAS-Port-Type = Wireless-802.11 NAS-Port = 2113 NAS-Port-Id = "2113" State = 0x8da1c3b98ea4d6d5f63e6480350916ec NAS-IP-Address = 192.168.0.98 NAS-Identifier = "ap1250" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "BBB", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 326 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [ttls] TLS_accept: SSLv3 read client key exchange A [ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001] [ttls] <<< TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 read finished A [ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001] [ttls] TLS_accept: SSLv3 write change cipher spec A [ttls] >>> TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 write finished A [ttls] TLS_accept: SSLv3 flush data [ttls] (other): SSL negotiation finished successfully SSL Connection Established [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 220 to 192.168.0.98 port 1645 EAP-Message = 0x0106004515800000003b14030100010116030100306ab6b04c46449e888999e0d67e6802fcc2af216d8ae3cf79da88145abde2d0c862be1b0c5b718ea7130475602d2da362 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x8da1c3b989a7d6d5f63e6480350916ec Finished request 67. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.98 port 1645, id=221, length=282 User-Name = "BBB" Framed-MTU = 1400 Called-Station-Id = "0023.331c.9680" Calling-Station-Id = "9027.e4f9.25b0" Service-Type = Login-User Message-Authenticator = 0xb51cd376eef22ef1c49d4fa5a7c152e4 EAP-Message = 0x0206008f15800000008517030100809a51884eec0939c80d25cd8f66f9aa09b30e09516ed867243f5da7517a06d3ec10d3c3e05ea2491639ed7f39ab6f6bb9fac90194776d2a6fc02931d3d8554cb846633873d91fe7f19b76131480b45c539a5fe13bff09e99c51ebc3b177231511591184727a6e1a807c35725ceca270a9bec5f71b58523c674f36cd40837a7954 NAS-Port-Type = Wireless-802.11 NAS-Port = 2113 NAS-Port-Id = "2113" State = 0x8da1c3b989a7d6d5f63e6480350916ec NAS-IP-Address = 192.168.0.98 NAS-Identifier = "ap1250" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "BBB", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 143 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 133 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Got tunneled request User-Name = "BBB" MS-CHAP-Challenge = 0xdc44c3a996092783c753386d277c0fdb MS-CHAP2-Response = 0xea00f4a1a00dccebf6c1cd99ed1aecd987d2000000000000000031f407ff2772ee33933baa13615e7b06d0bd4f9e2f68f374 FreeRADIUS-Proxied-To = 127.0.0.1 [ttls] Sending tunneled request User-Name = "BBB" MS-CHAP-Challenge = 0xdc44c3a996092783c753386d277c0fdb MS-CHAP2-Response = 0xea00f4a1a00dccebf6c1cd99ed1aecd987d2000000000000000031f407ff2772ee33933baa13615e7b06d0bd4f9e2f68f374 FreeRADIUS-Proxied-To = 127.0.0.1 server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok ++[unix] returns updated [suffix] No '@' in User-Name = "BBB", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry BBB at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = MSCHAP +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv2 for BBB with NT-Password [mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [mschap] expand: --username=%{Stripped-User-Name:-%{User-Name:-None}} -> --username=BBB [mschap] mschap2: dc [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=b172f4e6d5a13aa3 [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=31f407ff2772ee33933baa13615e7b06d0bd4f9e2f68f374 [2011/09/04 21:07:10, 0, pid=1176] /SourceCache/samba/samba-235.7/samba/source/utils/ntlm_auth.c:get_winbind_domain(146) could not obtain winbind domain name! Exec-Program output: Reading winbind reply failed! (0xc0000001) Exec-Program-Wait: plaintext: Reading winbind reply failed! (0xc0000001) Exec-Program: returned: 1 [mschap] External script failed. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject Failed to authenticate the user. } # server inner-tunnel [ttls] Got tunneled reply code 3 MS-CHAP-Error = "\352E=691 R=1" [ttls] Got tunneled Access-Reject [eap] Handler failed in EAP/ttls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> BBB attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 68 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 68 Sending Access-Reject of id 221 to 192.168.0.98 port 1645 EAP-Message = 0x04060004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. Cleaning up request 63 ID 216 with timestamp +907 Cleaning up request 64 ID 217 with timestamp +907 Cleaning up request 65 ID 218 with timestamp +907 Cleaning up request 66 ID 219 with timestamp +907 Cleaning up request 67 ID 220 with timestamp +907 Waking up in 1.0 seconds. Cleaning up request 68 ID 221 with timestamp +907 Ready to process requests. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Mac-OSX-FreeRadius-EAP-Authenticatio... Sent from the FreeRadius - User mailing list archive at Nabble.com.