Thanks Alan . I did EAP and telnet works fine! I have set up the freeradius and using lotus notes LDAP I am able to get authenticated for a TELNET session with CISCO 2950. However in the same setup when I try to get the port authenticated for the WinXP client using EAP-MD5 it is being rejected Help Requested **************************************************************************************************** TEST PLATFORM **************************************************************************************************** LDAP : Lotus Notes Directory Radius : Freeradius 1.0.1 Switch : Cisco 2950 OS : Windows XP with SP2 **************************************************************************************************** Successfull telnet authentication using radius to Cisco 2950 **************************************************************************************************** Listening on proxy *:1814 Ready to process requests. rad_recv: Access-Request packet from host 172.16.1.1:1812, id=56, length=78 NAS-IP-Address = 172.16.1.1 NAS-Port = 1 NAS-Port-Type = Virtual User-Name = "abey" Calling-Station-Id = "172.16.2.1" User-Password = "abeypass" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for abey radius_xlat: '(uid=abey)' radius_xlat: 'o=example' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 192.168.1.1:389, authentication 0 rlm_ldap: bind as / to 192.168.1.1:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in o=example, with filter (uid=abey) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user abey authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 modcall[authorize]: module "files" returns notfound for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by "abey" with password "abeypass" rlm_ldap: user DN: CN=Abey Thomas,O=example rlm_ldap: (re)connect to 192.168.1.1:389, authentication 1 rlm_ldap: bind as CN=Abey Thomas,O=example/abeypass to 192.168.1.1:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user abey authenticated succesfully modcall[authenticate]: module "ldap" returns ok for request 0 modcall: group Auth-Type returns ok for request 0 Sending Access-Accept of id 56 to 172.16.1.1:1812 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 56 with timestamp 44481b5d Nothing to do. Sleeping until we see a request. **************************************************************************************************** Unsuccessful authentication using WinXP EAP-MD5 with LDAP **************************************************************************************************** rad_recv: Access-Request packet from host 172.16.1.1:1812, id=65, length=162 NAS-IP-Address = 172.16.1.1 NAS-Port = 50035 NAS-Port-Type = Ethernet User-Name = "abey" Called-Station-Id = "00-14-69-B1-DE-63" Calling-Station-Id = "00-16-17-29-73-6A" Service-Type = Framed-User Framed-MTU = 1500 State = 0x20e0298dbd677f901ed08b90898c8919 EAP-Message = 0x0201001c0410cbc40efb162c0ae53832615a88e73548616265796274 Message-Authenticator = 0xae7f4801c3431879926a3ec72e5bcc5b Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for abey radius_xlat: '(uid=abey)' radius_xlat: 'o=example' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=example, with filter (uid=abey) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user abey authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 1 rlm_eap: EAP packet type response id 1 length 28 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 modcall[authorize]: module "files" returns notfound for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type LDAP rad_check_password: Found Auth-Type EAP Warning: Found 2 auth-types on request for user 'abey' auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/md5 rlm_eap: processing type md5 rlm_eap_md5: User-Password is required for EAP-MD5 authentication rlm_eap: Handler failed in EAP/md5 rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 1 modcall: group authenticate returns invalid for request 1 auth: Failed to validate the user. Delaying request 1 for 1 seconds Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 65 to 172.16.1.1:1812 EAP-Message = 0x04010004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 64 with timestamp 44483e3e Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 65 with timestamp 44483e3f Nothing to do. Sleeping until we see a request. **************************************************************************************************** radiusd.conf **************************************************************************************************** prefix = /usr exec_prefix = ${prefix} sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd log_file = ${logdir}/radius.log libdir = /usr/lib/freeradius pidfile = ${run_dir}/radiusd.pid user = radiusd group = radiusd max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = * port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = no log_auth = no log_auth_badpass = no log_auth_goodpass = no usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } $INCLUDE ${confdir}/clients.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { eap { default_eap_type = md5 timer_expire = 120 md5 { } leap { } } ldap { server = "10.1.1.111" basedn = "o=slashsupport" filter = "(uid=%u)" } preprocess { } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users compat = no } } authorize { ldap eap files } authenticate { eap Auth-Type LDAP { ldap } } **************************************************************************************************** users **************************************************************************************************** userone User-Password == "userpass" # DEFAULT Auth-Type := LDAP # Fall-Through = 1 # ************************************************************************* Regards, Abey Babu Thomas