Hello Everybody! We are having issue in trying to setup Radius server with a huwaei quidway S3900 as authenticator. The switch ports are configured as hybrid and tagged on all our four vlans. We also configure VLAN 1 (the default) as guest vlan of the ports and dot1x is activated globally and on each ethernet port. Radius server is configure to search for users in LDAP directory. Here is one off our user parameters in the directory: dn: uid=toto,ou=Users,ou=ceforp,dc=uac,dc=bj uid: toto cn: toto sambaSID: toto telephoneNumber: 00000000 roomNumber: 00000000 homePhone: 97 09 61 90/90 04 12 26 givenName: toto sn: toto mail: toto@ceforp.uac.bj objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: radiusProfile objectClass: top objectClass: sambaSamAccount objectClass: shadowAccount userPassword: {crypt}$1$JGZ378je$G9BPCKU.BWv1QEAZCQtFO. sambaLMPassword: AZERTY sambaNTPassword: AZERTY shadowLastChange: 14250 shadowMax: 99999 shadowWarning: 7 radiusTunnelPrivateGroup-Id: "2" radiusTunnelMediumType: IEEE-802 radiusTunnelType: VLAN loginShell: /bin/bash uidNumber: 1616 gidNumber: 1614 homeDirectory: /home/toto gecos: Akouma toto,,,97 09 61 90/90 04 12 26 When we try the authentication with this user account, although radius log send the VLAN attributes (Tunnel-Type, Tunnel-Medium-Type, Tunnel-Private-Group-ID) in Access-Challenge messages and finally send an Access-Accept message, the switch does not assign the right VLAN( the switching from VLAN 1 to VLAN 2 does not occur) and the user still in VLAN 1. We note that there is no VLAN attribute in Access-Accept message. What may be wrong ? Below is the radius server's output log Ready to process requests. rad_recv: Access-Request packet from host 192.168.100.5 port 5001, id=22, length =115 User-Name = "toto" EAP-Message = 0x0201000901746f746f Message-Authenticator = 0x60464542ce8c771452c8234d62a8de2d NAS-IP-Address = 192.168.100.5 NAS-Identifier = "000fe265a2f5" NAS-Port = 268455937 NAS-Port-Type = Ethernet Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = "000b-5d4a-369f" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "toto", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 1 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound users: Matched entry DEFAULT at line 172 ++[files] returns ok rlm_ldap: - authorize rlm_ldap: performing user authorization for toto expand: (&(objectclass=posixAccount)(uid=%u)) -> (&(objectclass=posixAcc ount)(uid=toto)) expand: dc=uac,dc=bj -> dc=uac,dc=bj rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection Sending Access-Challenge of id 22 to 192.168.100.5 port 5001 Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP Tunnel-Private-Group-Id:0 = "2" Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa88eb0cba88ca91516c2ad39391ee6f1 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.100.5 port 5001, id=23, length=236 User-Name = "toto" EAP-Message = 0x0202007019800000006616030100610100005d03014a3f38dbbadfdeb57d18de0598e2cc8fc3a93bdc048767fda66314b9273e319b200a7da7d94248ab602a4aad9e3fcb579310da741faf694e40b9fef41839ae4604001600040005000a000900640062000300060013001200630100 Message-Authenticator = 0x3cf0c9732a7a9b23dea1cf4538f76931 NAS-IP-Address = 192.168.100.5 NAS-Identifier = "000fe265a2f5" NAS-Port = 268455937 NAS-Port-Type = Ethernet Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = "000b-5d4a-369f" State = 0xa88eb0cba88ca91516c2ad39391ee6f1 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "toto", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 2 length 112 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS TLS Length 102 rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0061], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0eb6], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 23 to 192.168.100.5 port 5001 EAP-Message = 0x0103040019c000000f13160301004a0200004603014a3f46ed27ac2ce8a976a6a7a18e528a981c1274689c91b8dd0f371a71ef957e201e2e2fb4a46d14234197b85b3d21307055bb67a12dd408dcad5b39db5e679e770004001603010eb60b000eb2000eaf000759308207553082053da003020102020101300d06092a864886f70d01010505003081a2310b300906035504061302424a311330110603550408130a41746c616e7469717565311630140603550407130d41626f6d65792d43616c6176693121301f060355040a1318556e69766572736974652041626f6d65792d43616c6176693111300f060355040b1308526563746f726174311430 EAP-Message = 0x120603550403140b726f6f745f43415f554143311a301806092a864886f70d010901160b696e666f407561632e626a301e170d3038303731373135353833355a170d3039303731373135353833355a3081a4310b300906035504061302424a311330110603550408130a41746c616e7469717565311630140603550407130d41626f6d65792d43616c6176693121301f060355040a1318556e69766572736974652041626f6d65792d43616c6176693111300f060355040b1308526563746f726174311630140603550403130d63616c6176692e7561632e626a311a301806092a864886f70d010901160b696e666f407561632e626a30820222300d06 EAP-Message = 0x092a864886f70d01010105000382020f003082020a0282020100ba35068b7967acc67f03fe9f0cd76ea4fc16bb62b8986f8a2e70413e22942f1e7604ab691177fdb5fd14: a030bb00840b9281a6ee37482bcb1f95d7cbeb23a06a1f659a48f4380a23acc10952d5c70258579fbda12d599aabd12d4ddb5de20e943c515ea8f817f15fc4b1201ba2952a43c8b4ef52941f256670d7e216ec19930e940ce1832e9b953096dc6ef00bbb1dc173b800b183c5d1f20383d29f7c8795d5ed22c8d6075f492d2adb6700a51ed0f8c8793c2d460be5d822a8309b541802b27c2c496be98c1a0737ed88ac27cd94bd85ef58a16f3dba29d3b94754265bd7d24ddea4 EAP-Message = 0x45efe16f59861c8f63dffa7835ba4e3f654afd6c2f50bbd1f11e220bd5df962d0e516688c7e9124128eb9bd23caf997fe12ad314ecbbce6c5dd3549df7aeb8b879bfdf2727b3aa1e4019283741448cf3e2148ea203a546e25c60fee5fe5da03d3fe1265da3dbe91bb7e620d1932e83d4e05433d6f2aa30a5264f30a134574f03c418c8077e7333d774f9b8a6451eea70a918f132cecf7957423a22784653042a5fcc6a8a0a66aefce4fff473ee078ed7fb2a3b1cab12694e3d1f9f44bae7ebaa6c6be4686e475ab908428af9592000f62b93ba39bfe15863907dc535941e1d7e9b5236874fb51979f8662aadc3dc1bdc5e34a9bdd3e32430fbe857523b EAP-Message = 0x0d3f2885d5031e5f76099610 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa88eb0cba98da91516c2ad39391ee6f1 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.100.5 port 5001, id=24, length=130 User-Name = "toto" EAP-Message = 0x020300061900 Message-Authenticator = 0xb5552c32bd90604d37c9c0fb4482455e NAS-IP-Address = 192.168.100.5 NAS-Identifier = "000fe265a2f5" NAS-Port = 268455937 NAS-Port-Type = Ethernet Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = "000b-5d4a-369f" State = 0xa88eb0cba98da91516c2ad39391ee6f1 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "toto", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 3 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 24 to 192.168.100.5 port 5001 EAP-Message = 0x010403fc1940b38003bf6e1f8b658ce51826eea11c0bf44abf450203010001a38201903082018c30090603551d1304023000301106096086480186f8420101040403020640302b06096086480186f842010d041e161c54696e7943412047656e657261746564204365727469666963617465301d0603551d0e04160414f17eea30a8f7f709053f3f7bed44e40d6d63c68a3081d70603551d230481cf3081cc8014c3580d7f0c9b26c3fcca6bddecc25329b3ed999ea181a8a481a53081a2310b300906035504061302424a311330110603550408130a41746c616e7469717565311630140603550407130d41626f6d65792d43616c6176693121301f06 EAP-Message = 0x0355040a1318556e69766572736974652041626f6d65792d43616c6176693111300f060355040b1308526563746f726174311430120603550403140b726f6f745f43415f554143311a301806092a864886f70d010901160b696e666f407561632e626a820900f454a6d25d837f6130160603551d12040f300d810b696e666f407561632e626a30160603551d11040f300d810b696e666f407561632e626a30160603551d250101ff040c300a06082b06010505070301300d06092a864886f70d0101050500038202010075889612daeb738396e4a633941133cd7614298049994d4992ccef22cbb75e37e26fe9f51f9ce8515ea0918db7864da4440933 EAP-Message = 0x48844b57b3456682ac4b3f45d62d86f7212af508730fb37f53225ffbbc2fdb3389346da7802eec86548588c0cf01c50417969e4d3566c9ca0ae3910f6c79047d2510b9fb557185e826bf355820de2952f9aec584ce6e89062b088ded33999cde33f95fe3fe6f173623cde8838901421c17541dacf82879a49712ba9d082c9ebde368272af85d031e9049dead03902ebe71bb3a1b5e3c8385902c677cfac0c1ee8ac405a6cb77c6f64cdcf09b1d61874cb3eac03ce9f283d130caaceaa38a65c12e7d13a6d34444def970fd60d973fe7b2031abc41fa019dfd91cdfeeaab155f615f327c7b5fd711b79db87f45aa2b97c4e2bb44ef02d77392b0bb5d93c EAP-Message = 0xe888d84f68211cd1f5c40eda157273e3e193c20d682ad3f30f0765ece4c20646afac050b8493e0874845971a2a03645d412b6aa96ea90fcae6df3fd94d6502900ad1c15f756f6c28cec9618f497faf5c32c200771a0b0e9652749b06ffa8837b0795883b757b81e62b4ad3d9eba615ccf63fc7f6d12d038814e32d013972b21b033399b4dea04c7368b4c20e80c405d25d70a49b1c16ad339510cc041bc529950d5e0769de26399739d2383499951bc54db8c1342e86354291c1f62b8b1816be8e184a30b6c761c73eea65c0d03ae8830007503082074c30820534a003020102020900f454a6d25d837f61300d06092a864886f70d01010505003081a2 EAP-Message = 0x310b300906035504 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa88eb0cbaa8aa91516c2ad39391ee6f1 Finished request 2. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.168.100.5 port 5001, id=25, length=130 User-Name = "toto" EAP-Message = 0x020400061900 Message-Authenticator = 0x5eeac44dfede983aedee24c387cb44e9 NAS-IP-Address = 192.168.100.5 NAS-Identifier = "000fe265a2f5" NAS-Port = 268455937 NAS-Port-Type = Ethernet Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = "000b-5d4a-369f" State = 0xa88eb0cbaa8aa91516c2ad39391ee6f1 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "toto", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 4 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 25 to 192.168.100.5 port 5001 EAP-Message = 0x010503fc1940061302424a311330110603550408130a41746c616e74: 69717565311630140603550407130d41626f6d65792d43616c6176693121301f060355040a1318556e69766572736974652041626f6d65792d43616c6176693111300f060355040b1308526563746f726174311430120603550403140b726f6f745f43415f554143311a301806092a864886f70d010901160b696e666f407561632e626a301e170d3038303731373135353331385a170d3138303731353135353331385a3081a2310b300906035504061302424a311330110603550408130a41746c616e7469717565311630140603550407130d41626f6d65792d43616c617669 EAP-Message = 0x3121301f060355040a1318556e69766572736974652041626f6d65792d43616c6176693111300f060355040b1308526563746f726174311430120603550403140b726f6f745f43415f554143311a301806092a864886f70d010901160b696e666f407561632e626a30820222300d06092a864886f70d01010105000382020f003082020a0282020100f4b24ec17856ccd0925b38267d08f774b4e8305facfc02da999c9d5787a4d6b57af62d62531b4ee11135cf1546825c9c7aa6eb452c5adc6a768616ec978be9ddb0e98b1b1d23d2056c5fe37f46247295851e5c4866dec12d3b298b3d9b7629208465333f1f479a886f8321e8768b6a32c9563ecf EAP-Message = 0xfd7d052a60062bf19ea4c007138dbedfb86604118f1c20c7e7769a82cd10564c4624a53786e894a174a253585bca0e92e8f32923fdde919eee543c6ac7b1e6af377a726d62cdab0941c4bacccd7a40fd1762b4682c47150b33a819d4ce4e01e31a989dce7ea27fc14c6bf6c4ef036929e3ec575b94610bcc30d0d0159b94a41182650f071d1b73a7e9a8cbe844be37b3ce1193910909bee58ca887a0a4b6ea65674aac02012eb9c0f5207982e2b06d2c4d36e5af8b508edf8f65234696eeae28121a786c906e933f56770d32ee8987de8b678d809dc53d98da8b805c62953231091b47026c2bf695899b7c170197219e4b80f6d5bb1135c76e11e641e7 EAP-Message = 0x6eda160e7661681a20b9381dcddcc5da66c62e9d40885dd74b38733981cc17f8735cca0122e34ed54e822d8d607215055a06834c0d0dd8b770fe025c4d0fb310baea2e876d5e9574e4c68282d0b440acd1bb420f329c0cefda380d72c6cd635dca12658b638b58bea300430511b391e39ffa5a778cd618a444517759644e3b714a3c7dba6b53de21aea101b29656e30203010001a38201813082017d301d0603551d0e04160414c3580d7f0c9b26c3fcca6bddecc25329b3ed999e3081d70603551d230481cf3081cc8014c3580d7f0c9b26c3fcca6bddecc25329b3ed999ea181a8a481a53081a2310b300906035504061302424a3113301106035504 EAP-Message = 0x08130a41746c616e Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa88eb0cbab8ba91516c2ad39391ee6f1 Finished request 3. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 192.168.100.5 port 5001, id=26, length=130 User-Name = "toto" EAP-Message = 0x020500061900 Message-Authenticator = 0x95ef28d6ba4539705842ff6961284ff6 NAS-IP-Address = 192.168.100.5 NAS-Identifier = "000fe265a2f5" NAS-Port = 268455937 NAS-Port-Type = Ethernet Service-Type = Framed-User Calling-Station-Id = "000b-5d4a-369f" State = 0xa88eb0cbae86a91516c2ad39391ee6f1 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "toto", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 8 length 32 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - toto PEAP: Got tunneled EAP-Message EAP-Message = 0x0208000901746f746f PEAP: Got tunneled identity of toto PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to toto PEAP: Sending tunneled request EAP-Message = 0x0208000901746f746f FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "toto" server (null) { +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "toto", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 8 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for toto expand: (&(objectclass=posixAccount)(uid=%u)) -> (&(objectclass=posixAccount)(uid=toto)) expand: dc=uac,dc=bj -> dc=uac,dc=bj rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=uac,dc=bj, with filter (&(objectclass=posixAccount)(uid=toto)) rlm_ldap: checking if remote access for toto is allowed by uid rlm_ldap: No default NMAS login sequence rlm_ldap: looking for check items in directory... rlm_ldap: LDAP attribute sambaNTPassword as RADIUS attribute NT-Password == 0x4332313832333530444532433243463343344435434231343441394431444233 rlm_ldap: LDAP attribute sambaLMPassword as RADIUS attribute LM-Password == 0x3337364436424445433041413644323839343445324446343839413838304534 rlm_ldap: LDAP attribute userPassword as RADIUS attribute User-Password == "totouser" :rlm_ldap: looking for reply items in directory... rlm_ldap: LDAP attribute radiusTunnelPrivateGroupId as RADIUS attribute Tunnel-Private-Group-Id:0 = "2" rlm_ldap: LDAP attribute radiusTunnelMediumType as RADIUS attribute Tunnel-Medium-Type:0 = IEEE-802 rlm_ldap: LDAP attribute radiusTunnelType as RADIUS attribute Tunnel-Type:0 = VLAN rlm_ldap: user toto authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Normalizing NT-Password from hex encoding rlm_pap: Normalizing LM-Password from hex encoding rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server (null) PEAP: Got tunneled reply RADIUS code 11 Tunnel-Private-Group-Id:0 = "2" Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN EAP-Message = 0x0109001e1a010900191007ae8dd49bdfd0c817732291052c1735746f746f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0c186c320c1176bedb16c1e664f42fe2 PEAP: Processing from tunneled session code 0x7c2670 11 Tunnel-Private-Group-Id:0 = "2" Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN EAP-Message = 0x0109001e1a010900191007ae8dd49bdfd0c817732291052c1735746f: 746f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0c186c320c1176bedb16c1e664f42fe2 PEAP: Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 29 to 192.168.100.5 port 5001 EAP-Message = 0x010900351900170301002ae5ded2cf6543b4449305996cc5fdcfec9bf7867d5fdb62ee189022502a79da435f13d7b9b80c2f8ced86 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa88eb0cbaf87a91516c2ad39391ee6f1 Finished request 7. Going to the next request Waking up in 4.4 seconds. rad_recv: Access-Request packet from host 192.168.100.5 port 5001, id=30, length=210 User-Name = "toto" EAP-Message = 0x020900561900170301004bbaf13ec9d401f583cd58929b8f7f454cdb002639dc4ea00b14a69f6400eea5d340665d95edb631514792962e1d54723456e074bd14b4ba6f45464f3d30552dc3f8823cd456500ca92efae7 Message-Authenticator = 0xa44820cdf03d1108a8d932ec95e953ef NAS-IP-Address = 192.168.100.5 NAS-Identifier = "000fe265a2f5" NAS-Port = 268455937 NAS-Port-Type = Ethernet Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = "000b-5d4a-369f" State = 0xa88eb0cbaf87a91516c2ad39391ee6f1 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "toto", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 9 length 86 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 PEAP: Got tunneled EAP-Message EAP-Message = 0x0209003f1a0209003a31f627621d72908d812dcc8660104a923b00000000000000007d029e559fbcc706309ba7f099f573290ecf7056a219884a00746f746f PEAP: Setting User-Name to toto PEAP: Sending tunneled request EAP-Message = 0x0209003f1a0209003a31f627621d72908d812dcc8660104a923b00000000000000007d029e559fbcc706309ba7f099f573290ecf7056a219884a00746f746f FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "toto" State = 0x0c186c320c1176bedb16c1e664f42fe2 server (null) { +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "toto", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 9 length 63 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for toto expand: (&(objectclass=posixAccount)(uid=%u)) -> (&(objectclass=posixAccount)(uid=toto)) expand: dc=uac,dc=bj -> dc=uac,dc=bj rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=uac,dc=bj, with filter (&(objectclass=posixAccount)(uid=toto)) rlm_ldap: checking if remote access for toto is allowed by uid rlm_ldap: No default NMAS login sequence rlm_ldap: looking for check items in directory... rlm_ldap: LDAP attribute sambaNTPassword as RADIUS attribute NT-Password == 0x4332313832333530444532433243463343344435434231343441394431444233 rlm_ldap: LDAP attribute sambaLMPassword as RADIUS attribute LM-Password == 0x3337364436424445433041413644323839343445324446343839413838304534 rlm_ldap: LDAP attribute userPassword as RADIUS attribute User-Password == "totouser" rlm_ldap: looking for reply items in directory... rlm_ldap: LDAP attribute radiusTunnelPrivateGroupId as RADIUS attribute Tunnel-Private-Group-Id:0 = "2" rlm_ldap: LDAP attribute radiusTunnelMediumType as RADIUS attribute Tunnel-Medium-Type:0 = IEEE-802 rlm_ldap: LDAP attribute radiusTunnelType as RADIUS attribute Tunnel-Type:0 = VLAN rlm_ldap: user toto authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Normalizing NT-Password from hex encoding rlm_pap: Normalizing LM-Password from hex encoding rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 +- entering group MS-CHAP rlm_mschap: Found LM-Password rlm_mschap: Found NT-Password rlm_mschap: Told to do MS-CHAPv2 for toto with NT-Password rlm_mschap: adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server (null) PEAP: Got tunneled reply RADIUS code 11 Tunnel-Private-Group-Id:0 = "2" Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN EAP-Message = 0x010a00331a0309002e533d45324635434146333132433946454341393932443738373436364344424342443444364643444134 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0c186c320d1276bedb16c1e664f42fe2 PEAP: Processing from tunneled session code 0x7c52c0 11 Tunnel-Private-Group-Id:0 = "2" Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN EAP-Message = 0x010a00331a0309002e533d45324635434146333132433946454341393932443738373436364344424342443444364643444134 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0c186c320d1276bedb16c1e664f42fe2 PEAP: Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 30 to 192.168.100.5 port 5001 EAP-Message = 0x010a004a1900170301003ff9c9a8096c8008435d18d64dd2844e84eaccd55bc005519a1e4330882677b71ee2dfdead2f7bfc9dcf711bd2b6776b5ded041a41783f07063d0a82dfff7eee Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa88eb0cba084a91516c2ad39391ee6f1 Finished request 8. Going to the next request Waking up in 4.3 seconds. rad_recv: Access-Request packet from host 192.168.100.5 port 5001, id=31, length=153 User-Name = "toto" EAP-Message = 0x020a001d19001703010012c5c3e515e280e0362280ea65d35a6ee5f57e Message-Authenticator = 0xb12836f1115dd64af2d01d2d0fc41bca NAS-IP-Address = 192.168.100.5 NAS-Identifier = "000fe265a2f5" NAS-Port = 268455937 NAS-Port-Type = Ethernet Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = "000b-5d4a-369f" State = 0xa88eb0cba084a91516c2ad39391ee6f1 +- entering group authorize rad_recv: Access-Request packet from host 192.168.100.5 port 5001, id=32, length =162 User-Name = "toto" EAP-Message = 0x020b00261900170301001bac16d38a5cfbaed36ed0105a6c7c16925c 925a2a8a04b60c164770 Message-Authenticator = 0x6969775e3b691b3e7ef57aaa3e4d3ba7 NAS-IP-Address = 192.168.100.5 NAS-Identifier = "000fe265a2f5" NAS-Port = 268455937 NAS-Port-Type = Ethernet Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = "000b-5d4a-369f" State = 0xa88eb0cba185a91516c2ad39391ee6f1 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "toto", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 11 length 38 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Success rlm_eap: Freeing handler ++[eap] returns ok Login OK: [toto/<via Auth-Type = EAP>] (from client uac_quid002 port 268455937 cli 000b-5d4a-369f) +- entering group post-auth ++[exec] returns noop Sending Access-Accept of id 32 to 192.168.100.5 port 5001 MS-MPPE-Recv-Key = 0x3fc9ad8eb5c61fa194fbcf43ec68aa879a28a6f2b25d5dcc96531f47dccdae69 MS-MPPE-Send-Key = 0xaf8ead06473463ae03e04ac1cc4f09e8e827287effa7ccaf360b0b8bbc2ed18e EAP-Message = 0x030b0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "toto" Finished request 10. Going to the next request Waking up in 4.1 seconds. Thanks for your help!