First time using freeradius, attempting to setup freeradius server on a RPi to create a testing environment for WPA2 Enterprise use on an IoT device. Any help to understand where I am going wrong gratefully received. Included below is the debug output on startup and when an attempt to connect using PEAP-MSCHAPv2 using just username and password (no certificate). The startup contains a few warnings which I assume are not material. The login debug has an error MS-CHAP2-Response is incorrect which comes after a WARNING: Auth-Type already set. Not setting to PAP? FreeRADIUS Version 3.0.12 [/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT". [/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT". Ready to process requests Below is what debug output when trying to connect to the WAP. (0) Received Access-Request Id 37 from 192.168.1.38:52437 to 192.168.1.33:1812 length 172 (0) User-Name = "particle" (0) NAS-IP-Address = 192.168.1.38 (0) NAS-Identifier = "b4fbe4c348ab" (0) NAS-Port = 0 (0) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2" (0) Calling-Station-Id = "E0-4F-43-36-B1-F1" (0) Framed-MTU = 1400 (0) NAS-Port-Type = Wireless-802.11 (0) Connect-Info = "CONNECT 0Mbps 802.11b" (0) EAP-Message = 0x0205000d017061727469636c65 (0) Message-Authenticator = 0x3d7c5462881eb85ae3c3e8b1e7f2dcd8 (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "particle", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: Peer sent EAP Response (code 2) ID 5 length 13 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_md5 to process data (0) eap_md5: Issuing MD5 Challenge (0) eap: Sending EAP Request (code 1) ID 6 length 22 (0) eap: EAP session adding &reply:State = 0x792e584479285c88 (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) Post-Auth-Type sub-section not found. Ignoring. (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Sent Access-Challenge Id 37 from 192.168.1.33:1812 to 192.168.1.38:52437 length 0 (0) EAP-Message = 0x0106001604101e0a216dfaac8434a1e13f61d8e18c5f (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x792e584479285c88d729d5f4b5ba04a4 (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 38 from 192.168.1.38:52437 to 192.168.1.33:1812 length 183 (1) User-Name = "particle" (1) NAS-IP-Address = 192.168.1.38 (1) NAS-Identifier = "b4fbe4c348ab" (1) NAS-Port = 0 (1) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2" (1) Calling-Station-Id = "E0-4F-43-36-B1-F1" (1) Framed-MTU = 1400 (1) NAS-Port-Type = Wireless-802.11 (1) Connect-Info = "CONNECT 0Mbps 802.11b" (1) EAP-Message = 0x020600060319 (1) State = 0x792e584479285c88d729d5f4b5ba04a4 (1) Message-Authenticator = 0x81a3bc304acaf36767e74474836e1265 (1) session-state: No cached attributes (1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "particle", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: Peer sent EAP Response (code 2) ID 6 length 6 (1) eap: No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) files: users: Matched entry particle at line 1 (1) [files] = ok (1) [expiration] = noop (1) [logintime] = noop (1) pap: WARNING: Auth-Type already set. Not setting to PAP (1) [pap] = noop (1) } # authorize = updated (1) Found Auth-Type = eap (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0x792e584479285c88 (1) eap: Finished EAP session with state 0x792e584479285c88 (1) eap: Previous EAP request found for state 0x792e584479285c88, released from the list (1) eap: Peer sent packet with method EAP NAK (3) (1) eap: Found mutually acceptable type PEAP (25) (1) eap: Calling submodule eap_peap to process data (1) eap_peap: Initiating new EAP-TLS session (1) eap_peap: [eaptls start] = request (1) eap: Sending EAP Request (code 1) ID 7 length 6 (1) eap: EAP session adding &reply:State = 0x792e584478294188 (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) Post-Auth-Type sub-section not found. Ignoring. (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) Sent Access-Challenge Id 38 from 192.168.1.33:1812 to 192.168.1.38:52437 length 0 (1) EAP-Message = 0x010700061920 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x792e584478294188d729d5f4b5ba04a4 (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 39 from 192.168.1.38:52437 to 192.168.1.33:1812 length 273 (2) User-Name = "particle" (2) NAS-IP-Address = 192.168.1.38 (2) NAS-Identifier = "b4fbe4c348ab" (2) NAS-Port = 0 (2) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2" (2) Calling-Station-Id = "E0-4F-43-36-B1-F1" (2) Framed-MTU = 1400 (2) NAS-Port-Type = Wireless-802.11 (2) Connect-Info = "CONNECT 0Mbps 802.11b" (2) EAP-Message = 0x0207006019800000005616030300510100004d030300000013d1a5ed06c133a6582eb8f8b59713a271b38c51af54d5ef2e0cc8b6d6000004003c002f01000020000a000400020017000b00020100000d000e000c020102030301030304010403 (2) State = 0x792e584478294188d729d5f4b5ba04a4 (2) Message-Authenticator = 0xbf54c5bcfb0c4aae623b313a7cec24bf (2) session-state: No cached attributes (2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix: Checking for suffix after "@" (2) suffix: No '@' in User-Name = "particle", looking up realm NULL (2) suffix: No such realm "NULL" (2) [suffix] = noop (2) eap: Peer sent EAP Response (code 2) ID 7 length 96 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = eap (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0x792e584478294188 (2) eap: Finished EAP session with state 0x792e584478294188 (2) eap: Previous EAP request found for state 0x792e584478294188, released from the list (2) eap: Peer sent packet with method EAP PEAP (25) (2) eap: Calling submodule eap_peap to process data (2) eap_peap: Continuing EAP-TLS (2) eap_peap: Peer indicated complete TLS record size will be 86 bytes (2) eap_peap: Got complete TLS record (86 bytes) (2) eap_peap: [eaptls verify] = length included (2) eap_peap: (other): before SSL initialization (2) eap_peap: TLS_accept: before SSL initialization (2) eap_peap: TLS_accept: before SSL initialization (2) eap_peap: <<< recv TLS 1.2 [length 0051] (2) eap_peap: TLS_accept: SSLv3/TLS read client hello (2) eap_peap: >>> send TLS 1.2 [length 002a] (2) eap_peap: TLS_accept: SSLv3/TLS write server hello (2) eap_peap: >>> send TLS 1.2 [length 02f1] (2) eap_peap: TLS_accept: SSLv3/TLS write certificate (2) eap_peap: >>> send TLS 1.2 [length 0004] (2) eap_peap: TLS_accept: SSLv3/TLS write server done (2) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done (2) eap_peap: In SSL Handshake Phase (2) eap_peap: In SSL Accept mode (2) eap_peap: [eaptls process] = handled (2) eap: Sending EAP Request (code 1) ID 8 length 820 (2) eap: EAP session adding &reply:State = 0x792e58447b264188 (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) Post-Auth-Type sub-section not found. Ignoring. (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) Sent Access-Challenge Id 39 from 192.168.1.33:1812 to 192.168.1.38:52437 length 0 (2) EAP-Message = 0x010803341900160303002a0200002603035010c628e6c3e571ecdfcb7ed14e02f944e131af1f1483cff17b618c02935b4200003c0016030302f10b0002ed0002ea0002e7308202e3308201cba003020102020900a170e33eaa8a04e7300d06092a864886f70d01010b0500301b3119301706035504030c (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0x792e58447b264188d729d5f4b5ba04a4 (2) Finished request Waking up in 4.9 seconds. (3) Received Access-Request Id 40 from 192.168.1.38:52437 to 192.168.1.33:1812 length 547 (3) User-Name = "particle" (3) NAS-IP-Address = 192.168.1.38 (3) NAS-Identifier = "b4fbe4c348ab" (3) NAS-Port = 0 (3) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2" (3) Calling-Station-Id = "E0-4F-43-36-B1-F1" (3) Framed-MTU = 1400 (3) NAS-Port-Type = Wireless-802.11 (3) Connect-Info = "CONNECT 0Mbps 802.11b" (3) EAP-Message = 0x02080170198000000166160303010610000102010070ac8a7222a41f5fab40c2a114f343932b699e7629ee25a0ef96616b1582f4e105812e9efb79e3696823f69a931188eeb04bd2f4d9b67869db2d585364c2515a1d44414cc41bc6d87ba8df2ad36e6ba1e57e10fbeb14fc76837d57b50d95a780dc67 (3) State = 0x792e58447b264188d729d5f4b5ba04a4 (3) Message-Authenticator = 0xe80722a96c83d29962b7c6216f7a1b24 (3) session-state: No cached attributes (3) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (3) authorize { (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = notfound (3) } # policy filter_username = notfound (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix: Checking for suffix after "@" (3) suffix: No '@' in User-Name = "particle", looking up realm NULL (3) suffix: No such realm "NULL" (3) [suffix] = noop (3) eap: Peer sent EAP Response (code 2) ID 8 length 368 (3) eap: Continuing tunnel setup (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = eap (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (3) authenticate { (3) eap: Expiring EAP session with state 0x792e58447b264188 (3) eap: Finished EAP session with state 0x792e58447b264188 (3) eap: Previous EAP request found for state 0x792e58447b264188, released from the list (3) eap: Peer sent packet with method EAP PEAP (25) (3) eap: Calling submodule eap_peap to process data (3) eap_peap: Continuing EAP-TLS (3) eap_peap: Peer indicated complete TLS record size will be 358 bytes (3) eap_peap: Got complete TLS record (358 bytes) (3) eap_peap: [eaptls verify] = length included (3) eap_peap: TLS_accept: SSLv3/TLS write server done (3) eap_peap: <<< recv TLS 1.2 [length 0106] (3) eap_peap: TLS_accept: SSLv3/TLS read client key exchange (3) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec (3) eap_peap: <<< recv TLS 1.2 [length 0010] (3) eap_peap: TLS_accept: SSLv3/TLS read finished (3) eap_peap: >>> send TLS 1.2 [length 0001] (3) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec (3) eap_peap: >>> send TLS 1.2 [length 0010] (3) eap_peap: TLS_accept: SSLv3/TLS write finished (3) eap_peap: (other): SSL negotiation finished successfully (3) eap_peap: SSL Connection Established (3) eap_peap: [eaptls process] = handled (3) eap: Sending EAP Request (code 1) ID 9 length 97 (3) eap: EAP session adding &reply:State = 0x792e58447a274188 (3) [eap] = handled (3) } # authenticate = handled (3) Using Post-Auth-Type Challenge (3) Post-Auth-Type sub-section not found. Ignoring. (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (3) Sent Access-Challenge Id 40 from 192.168.1.33:1812 to 192.168.1.38:52437 length 0 (3) EAP-Message = 0x0109006119001403030001011603030050e4ccfeb29d521f23bceec5b5a6d2086989af54bf30c104ebd10fcadeda3e144e401aeac50e2f2d6fb28711841f9bff03cac82c6e94eb8082d4da10ef0950f6eae7f637b23f93d14e28952fa0735e8273 (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0x792e58447a274188d729d5f4b5ba04a4 (3) Finished request Waking up in 4.8 seconds. (4) Received Access-Request Id 41 from 192.168.1.38:52437 to 192.168.1.33:1812 length 183 (4) User-Name = "particle" (4) NAS-IP-Address = 192.168.1.38 (4) NAS-Identifier = "b4fbe4c348ab" (4) NAS-Port = 0 (4) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2" (4) Calling-Station-Id = "E0-4F-43-36-B1-F1" (4) Framed-MTU = 1400 (4) NAS-Port-Type = Wireless-802.11 (4) Connect-Info = "CONNECT 0Mbps 802.11b" (4) EAP-Message = 0x020900061900 (4) State = 0x792e58447a274188d729d5f4b5ba04a4 (4) Message-Authenticator = 0x95b4fe0eef8a5368d718ba97543624d1 (4) session-state: No cached attributes (4) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (4) authorize { (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = notfound (4) } # policy filter_username = notfound (4) [preprocess] = ok (4) [chap] = noop (4) [mschap] = noop (4) [digest] = noop (4) suffix: Checking for suffix after "@" (4) suffix: No '@' in User-Name = "particle", looking up realm NULL (4) suffix: No such realm "NULL" (4) [suffix] = noop (4) eap: Peer sent EAP Response (code 2) ID 9 length 6 (4) eap: Continuing tunnel setup (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = eap (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (4) authenticate { (4) eap: Expiring EAP session with state 0x792e58447a274188 (4) eap: Finished EAP session with state 0x792e58447a274188 (4) eap: Previous EAP request found for state 0x792e58447a274188, released from the list (4) eap: Peer sent packet with method EAP PEAP (25) (4) eap: Calling submodule eap_peap to process data (4) eap_peap: Continuing EAP-TLS (4) eap_peap: Peer ACKed our handshake fragment. handshake is finished (4) eap_peap: [eaptls verify] = success (4) eap_peap: [eaptls process] = success (4) eap_peap: Session established. Decoding tunneled attributes (4) eap_peap: PEAP state TUNNEL ESTABLISHED (4) eap: Sending EAP Request (code 1) ID 10 length 75 (4) eap: EAP session adding &reply:State = 0x792e58447d244188 (4) [eap] = handled (4) } # authenticate = handled (4) Using Post-Auth-Type Challenge (4) Post-Auth-Type sub-section not found. Ignoring. (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (4) Sent Access-Challenge Id 41 from 192.168.1.33:1812 to 192.168.1.38:52437 length 0 (4) EAP-Message = 0x010a004b19001703030040876f919e5b6f69b08d7d8082925085f96d9d4dc5d287be8a2220d788f3d81410117ac9b30cfe5bf1fdbd3fa127a1c59c9f43f811e9a1ed62184e6b52111b2cc9 (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0x792e58447d244188d729d5f4b5ba04a4 (4) Finished request Waking up in 4.8 seconds. (5) Received Access-Request Id 42 from 192.168.1.38:52437 to 192.168.1.33:1812 length 252 (5) User-Name = "particle" (5) NAS-IP-Address = 192.168.1.38 (5) NAS-Identifier = "b4fbe4c348ab" (5) NAS-Port = 0 (5) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2" (5) Calling-Station-Id = "E0-4F-43-36-B1-F1" (5) Framed-MTU = 1400 (5) NAS-Port-Type = Wireless-802.11 (5) Connect-Info = "CONNECT 0Mbps 802.11b" (5) EAP-Message = 0x020a004b19001703030040fdcdeff9a7da7077eb3784b51917dbb3f4b705b340e03a3feaf97f3de31941cb2864a9b7a6363f305b5c239727284a9e38bf34deab83141d8393bbc165f2cee7 (5) State = 0x792e58447d244188d729d5f4b5ba04a4 (5) Message-Authenticator = 0x16e198c5d18d50d6db5da8dc8ea94e23 (5) session-state: No cached attributes (5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) [preprocess] = ok (5) [chap] = noop (5) [mschap] = noop (5) [digest] = noop (5) suffix: Checking for suffix after "@" (5) suffix: No '@' in User-Name = "particle", looking up realm NULL (5) suffix: No such realm "NULL" (5) [suffix] = noop (5) eap: Peer sent EAP Response (code 2) ID 10 length 75 (5) eap: Continuing tunnel setup (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = eap (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (5) authenticate { (5) eap: Expiring EAP session with state 0x792e58447d244188 (5) eap: Finished EAP session with state 0x792e58447d244188 (5) eap: Previous EAP request found for state 0x792e58447d244188, released from the list (5) eap: Peer sent packet with method EAP PEAP (25) (5) eap: Calling submodule eap_peap to process data (5) eap_peap: Continuing EAP-TLS (5) eap_peap: [eaptls verify] = ok (5) eap_peap: Done initial handshake (5) eap_peap: [eaptls process] = ok (5) eap_peap: Session established. Decoding tunneled attributes (5) eap_peap: PEAP state WAITING FOR INNER IDENTITY (5) eap_peap: Identity - particle (5) eap_peap: Got inner identity 'particle' (5) eap_peap: Setting default EAP type for tunneled EAP session (5) eap_peap: Got tunneled request (5) eap_peap: EAP-Message = 0x020a000d017061727469636c65 (5) eap_peap: Setting User-Name to particle (5) eap_peap: Sending tunneled request to inner-tunnel (5) eap_peap: EAP-Message = 0x020a000d017061727469636c65 (5) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (5) eap_peap: User-Name = "particle" (5) Virtual server inner-tunnel received request (5) EAP-Message = 0x020a000d017061727469636c65 (5) FreeRADIUS-Proxied-To = 127.0.0.1 (5) User-Name = "particle" (5) WARNING: Outer and inner identities are the same. User privacy is compromised. (5) server inner-tunnel { (5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) [chap] = noop (5) [mschap] = noop (5) suffix: Checking for suffix after "@" (5) suffix: No '@' in User-Name = "particle", looking up realm NULL (5) suffix: No such realm "NULL" (5) [suffix] = noop (5) update control { (5) &Proxy-To-Realm := LOCAL (5) } # update control = noop (5) eap: Peer sent EAP Response (code 2) ID 10 length 13 (5) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = eap (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (5) authenticate { (5) eap: Peer sent packet with method EAP Identity (1) (5) eap: Calling submodule eap_mschapv2 to process data (5) eap_mschapv2: Issuing Challenge (5) eap: Sending EAP Request (code 1) ID 11 length 43 (5) eap: EAP session adding &reply:State = 0x9ed5137a9ede0992 (5) [eap] = handled (5) } # authenticate = handled (5) } # server inner-tunnel (5) Virtual server sending reply (5) EAP-Message = 0x010b002b1a010b002610add748736b59d05b7cac342e03bc00fa667265657261646975732d332e302e3132 (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0x9ed5137a9ede099241d17dbdaa28bbf3 (5) eap_peap: Got tunneled reply code 11 (5) eap_peap: EAP-Message = 0x010b002b1a010b002610add748736b59d05b7cac342e03bc00fa667265657261646975732d332e302e3132 (5) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (5) eap_peap: State = 0x9ed5137a9ede099241d17dbdaa28bbf3 (5) eap_peap: Got tunneled reply RADIUS code 11 (5) eap_peap: EAP-Message = 0x010b002b1a010b002610add748736b59d05b7cac342e03bc00fa667265657261646975732d332e302e3132 (5) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (5) eap_peap: State = 0x9ed5137a9ede099241d17dbdaa28bbf3 (5) eap_peap: Got tunneled Access-Challenge (5) eap: Sending EAP Request (code 1) ID 11 length 107 (5) eap: EAP session adding &reply:State = 0x792e58447c254188 (5) [eap] = handled (5) } # authenticate = handled (5) Using Post-Auth-Type Challenge (5) Post-Auth-Type sub-section not found. Ignoring. (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (5) Sent Access-Challenge Id 42 from 192.168.1.33:1812 to 192.168.1.38:52437 length 0 (5) EAP-Message = 0x010b006b19001703030060427e72f2a75ff426efd53ee1f42bf29ba4aae389d83bc4b7e8f1257e772430ede3cb69944b24e4f7b6280ffa62e224b27be20c2c641b0fbf6a77cab9ef38ba1f47e79470ecca8368ca25beda56349c1e21e3d49b1db8bc2bd749aab8bf3aa3cb (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0x792e58447c254188d729d5f4b5ba04a4 (5) Finished request Waking up in 4.7 seconds. (6) Received Access-Request Id 43 from 192.168.1.38:52437 to 192.168.1.33:1812 length 300 (6) User-Name = "particle" (6) NAS-IP-Address = 192.168.1.38 (6) NAS-Identifier = "b4fbe4c348ab" (6) NAS-Port = 0 (6) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2" (6) Calling-Station-Id = "E0-4F-43-36-B1-F1" (6) Framed-MTU = 1400 (6) NAS-Port-Type = Wireless-802.11 (6) Connect-Info = "CONNECT 0Mbps 802.11b" (6) EAP-Message = 0x020b007b19001703030070fdcdeff9a7da7077eb3784b51917dbb344ede7b63a9b0f5b11eb7701e504139b09564427efbb43c2ec17f8b42b4124f8fbfc5b440c1c050ff8aa9b8badfaedf539c727f4dfa655815cc469a0812b494ea16db3c4e1ffb49720bdf58408642e7387e7d103393cc91e2db29818 (6) State = 0x792e58447c254188d729d5f4b5ba04a4 (6) Message-Authenticator = 0x9d932302c8a3d3979d08ad610dcc59e7 (6) session-state: No cached attributes (6) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) [preprocess] = ok (6) [chap] = noop (6) [mschap] = noop (6) [digest] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "particle", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) eap: Peer sent EAP Response (code 2) ID 11 length 123 (6) eap: Continuing tunnel setup (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = eap (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (6) authenticate { (6) eap: Expiring EAP session with state 0x9ed5137a9ede0992 (6) eap: Finished EAP session with state 0x792e58447c254188 (6) eap: Previous EAP request found for state 0x792e58447c254188, released from the list (6) eap: Peer sent packet with method EAP PEAP (25) (6) eap: Calling submodule eap_peap to process data (6) eap_peap: Continuing EAP-TLS (6) eap_peap: [eaptls verify] = ok (6) eap_peap: Done initial handshake (6) eap_peap: [eaptls process] = ok (6) eap_peap: Session established. Decoding tunneled attributes (6) eap_peap: PEAP state phase2 (6) eap_peap: EAP method MSCHAPv2 (26) (6) eap_peap: Got tunneled request (6) eap_peap: EAP-Message = 0x020b00431a020b003e313f35b2f66fb9de0bdb693df43f40afd200000000000000005984d1f879ab5fb509b4d544552cb8d100815e7b9445e381007061727469636c65 (6) eap_peap: Setting User-Name to particle (6) eap_peap: Sending tunneled request to inner-tunnel (6) eap_peap: EAP-Message = 0x020b00431a020b003e313f35b2f66fb9de0bdb693df43f40afd200000000000000005984d1f879ab5fb509b4d544552cb8d100815e7b9445e381007061727469636c65 (6) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (6) eap_peap: User-Name = "particle" (6) eap_peap: State = 0x9ed5137a9ede099241d17dbdaa28bbf3 (6) Virtual server inner-tunnel received request (6) EAP-Message = 0x020b00431a020b003e313f35b2f66fb9de0bdb693df43f40afd200000000000000005984d1f879ab5fb509b4d544552cb8d100815e7b9445e381007061727469636c65 (6) FreeRADIUS-Proxied-To = 127.0.0.1 (6) User-Name = "particle" (6) State = 0x9ed5137a9ede099241d17dbdaa28bbf3 (6) WARNING: Outer and inner identities are the same. User privacy is compromised. (6) server inner-tunnel { (6) session-state: No cached attributes (6) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) [chap] = noop (6) [mschap] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "particle", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) update control { (6) &Proxy-To-Realm := LOCAL (6) } # update control = noop (6) eap: Peer sent EAP Response (code 2) ID 11 length 67 (6) eap: No EAP Start, assuming it's an on-going EAP conversation (6) [eap] = updated (6) files: users: Matched entry particle at line 1 (6) [files] = ok (6) [expiration] = noop (6) [logintime] = noop (6) pap: WARNING: Auth-Type already set. Not setting to PAP (6) [pap] = noop (6) } # authorize = updated (6) Found Auth-Type = eap (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (6) authenticate { (6) eap: Expiring EAP session with state 0x9ed5137a9ede0992 (6) eap: Finished EAP session with state 0x9ed5137a9ede0992 (6) eap: Previous EAP request found for state 0x9ed5137a9ede0992, released from the list (6) eap: Peer sent packet with method EAP MSCHAPv2 (26) (6) eap: Calling submodule eap_mschapv2 to process data (6) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (6) eap_mschapv2: authenticate { (6) mschap: Found Cleartext-Password, hashing to create NT-Password (6) mschap: Found Cleartext-Password, hashing to create LM-Password (6) mschap: Creating challenge hash with username: particle (6) mschap: Client is using MS-CHAPv2 (6) mschap: ERROR: MS-CHAP2-Response is incorrect (6) [mschap] = reject (6) } # authenticate = reject (6) eap: Sending EAP Failure (code 4) ID 11 length 4 (6) eap: Freeing handler (6) [eap] = reject (6) } # authenticate = reject (6) Failed to authenticate the user (6) Using Post-Auth-Type Reject (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (6) Post-Auth-Type REJECT { (6) attr_filter.access_reject: EXPAND %{User-Name} (6) attr_filter.access_reject: --> particle (6) attr_filter.access_reject: Matched entry DEFAULT at line 11 (6) [attr_filter.access_reject] = updated (6) update outer.session-state { (6) &Module-Failure-Message := &request:Module-Failure-Message -> 'mschap: MS-CHAP2-Response is incorrect' (6) } # update outer.session-state = noop (6) } # Post-Auth-Type REJECT = updated (6) } # server inner-tunnel (6) Virtual server sending reply (6) MS-CHAP-Error = "\013E=691 R=1 C=7e3c197e14ea1c252b48f6f0f1769c48 V=3 M=Authentication failed" (6) EAP-Message = 0x040b0004 (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) eap_peap: Got tunneled reply code 3 (6) eap_peap: MS-CHAP-Error = "\013E=691 R=1 C=7e3c197e14ea1c252b48f6f0f1769c48 V=3 M=Authentication failed" (6) eap_peap: EAP-Message = 0x040b0004 (6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (6) eap_peap: Got tunneled reply RADIUS code 3 (6) eap_peap: MS-CHAP-Error = "\013E=691 R=1 C=7e3c197e14ea1c252b48f6f0f1769c48 V=3 M=Authentication failed" (6) eap_peap: EAP-Message = 0x040b0004 (6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (6) eap_peap: Tunneled authentication was rejected (6) eap_peap: FAILURE (6) eap: Sending EAP Request (code 1) ID 12 length 75 (6) eap: EAP session adding &reply:State = 0x792e58447f224188 (6) [eap] = handled (6) } # authenticate = handled (6) Using Post-Auth-Type Challenge (6) Post-Auth-Type sub-section not found. Ignoring. (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (6) session-state: Saving cached attributes (6) Module-Failure-Message := "mschap: MS-CHAP2-Response is incorrect" (6) Sent Access-Challenge Id 43 from 192.168.1.33:1812 to 192.168.1.38:52437 length 0 (6) EAP-Message = 0x010c004b190017030300400c78fe983c5dd192db59da8240896c96033a7305a8f101405d8d1c04a6b8b77542214f016ab70bfe1a2c9039ff65e7c215f722faedc84912623688cb283b2cbd (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0x792e58447f224188d729d5f4b5ba04a4 (6) Finished request Waking up in 4.7 seconds. (7) Received Access-Request Id 44 from 192.168.1.38:52437 to 192.168.1.33:1812 length 252 (7) User-Name = "particle" (7) NAS-IP-Address = 192.168.1.38 (7) NAS-Identifier = "b4fbe4c348ab" (7) NAS-Port = 0 (7) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2" (7) Calling-Station-Id = "E0-4F-43-36-B1-F1" (7) Framed-MTU = 1400 (7) NAS-Port-Type = Wireless-802.11 (7) Connect-Info = "CONNECT 0Mbps 802.11b" (7) EAP-Message = 0x020c004b19001703030040fdcdeff9a7da7077eb3784b51917dbb315f7e335a9c8a19767c1033ff9329c5f037450eba6f2eb7a9b9347ed8606cef0ce75ae3f03a9518a7ecf3c4b642716ea (7) State = 0x792e58447f224188d729d5f4b5ba04a4 (7) Message-Authenticator = 0xc6525ab028d9d5e9459c8d3d25442ff7 (7) Restoring &session-state (7) &session-state:Module-Failure-Message := "mschap: MS-CHAP2-Response is incorrect" (7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) [preprocess] = ok (7) [chap] = noop (7) [mschap] = noop (7) [digest] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "particle", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) eap: Peer sent EAP Response (code 2) ID 12 length 75 (7) eap: Continuing tunnel setup (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = eap (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (7) authenticate { (7) eap: Expiring EAP session with state 0x792e58447f224188 (7) eap: Finished EAP session with state 0x792e58447f224188 (7) eap: Previous EAP request found for state 0x792e58447f224188, released from the list (7) eap: Peer sent packet with method EAP PEAP (25) (7) eap: Calling submodule eap_peap to process data (7) eap_peap: Continuing EAP-TLS (7) eap_peap: [eaptls verify] = ok (7) eap_peap: Done initial handshake (7) eap_peap: [eaptls process] = ok (7) eap_peap: Session established. Decoding tunneled attributes (7) eap_peap: PEAP state send tlv failure (7) eap_peap: Received EAP-TLV response (7) eap_peap: The users session was previously rejected: returning reject (again.) (7) eap_peap: This means you need to read the PREVIOUS messages in the debug output (7) eap_peap: to find out the reason why the user was rejected (7) eap_peap: Look for "reject" or "fail". Those earlier messages will tell you (7) eap_peap: what went wrong, and how to fix the problem (7) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed (7) eap: Sending EAP Failure (code 4) ID 12 length 4 (7) eap: Failed in EAP select (7) [eap] = invalid (7) } # authenticate = invalid (7) Failed to authenticate the user (7) Using Post-Auth-Type Reject (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (7) Post-Auth-Type REJECT { (7) attr_filter.access_reject: EXPAND %{User-Name} (7) attr_filter.access_reject: --> particle (7) attr_filter.access_reject: Matched entry DEFAULT at line 11 (7) [attr_filter.access_reject] = updated (7) [eap] = noop (7) policy remove_reply_message_if_eap { (7) if (&reply:EAP-Message && &reply:Reply-Message) { (7) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (7) else { (7) [noop] = noop (7) } # else = noop (7) } # policy remove_reply_message_if_eap = noop (7) } # Post-Auth-Type REJECT = updated (7) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (7) Sending delayed response (7) Sent Access-Reject Id 44 from 192.168.1.33:1812 to 192.168.1.38:52437 length 44 (7) EAP-Message = 0x040c0004 (7) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.7 seconds. (0) Cleaning up request packet ID 37 with timestamp +37 (1) Cleaning up request packet ID 38 with timestamp +37 (2) Cleaning up request packet ID 39 with timestamp +37 Waking up in 0.1 seconds. (3) Cleaning up request packet ID 40 with timestamp +37 (4) Cleaning up request packet ID 41 with timestamp +37 (5) Cleaning up request packet ID 42 with timestamp +37 (6) Cleaning up request packet ID 43 with timestamp +37 (7) Cleaning up request packet ID 44 with timestamp +37 Thanks in advance for any help. Will wjsteen@talktalk.net