Good morning! We are attempting to implement 802.1x/EAP for the first time, ad we're having some trouble diagnosing what's going on in the various stages of the communications between the NAS and FR. We don't have any experience with it, so it's rather confusing. We're using FR 2.2.8, with the test certs provided. We can see that there is communication, but all attempts to authenticate a device are failing. I've included what I believe to be the relevant portion of the debug output, and I do see several error conditions. The first says that the realm LOCAL is not defined, but in looking at the config, it looks as though it is. There's also a report that there's a missing Cleartext-Password, but that is also defined in the database, so we're at a loss as to the cause of the failure. If someone can point us in the right direction, I'd truly appreciate it! rad_recv: Access-Request packet from host 146.115.19.180 port 50987, id=97, length=394 Acct-Session-Id = "5DB9E1F5-76DF7502" User-Name = "jerry" NAS-IP-Address = 192.168.185.30 NAS-Identifier = "90-3A-72-15-25-1D" NAS-Port = 1 Called-Station-Id = "90-3A-72-15-25-1D:CVGNE_W1" Calling-Station-Id = "D4-53-83-F3-C0-17" Service-Type = Framed-User Chargeable-User-Identity = "" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 802.11a/n/ac" EAP-Message = 0x0208005f1900170303005400000000000000022f4cd34458205cfb0d339d2a9f6dda68b5f7a4ffbd985bbfb9ef4094114e5a1856df8479ea3c4ddc7f293487a00396643c97c4b24f51d67a7c7cc34e9bbbc1c156adc07977d4e095d6fddaa5 State = 0x957bdc849273c5bfd96a2d7f79095e2d Ruckus-SSID = "CVGNE_W1" Ruckus-Attr-14 = 0x903a7215251d Ruckus-Attr-9 = 0x000001c3 Ruckus-SCG-CBlade-IP = 3232282885 Ruckus-Attr-134 = 0x44656661756c74205a6f6e65 Ruckus-Attr-135 = 0x4356474e455f5731 Message-Authenticator = 0xad0239941dd1cf346629d1f1b23805b6 Event-Timestamp = "Oct 30 2019 15:18:14 EDT" Proxy-State = 0x3636 # Executing section authorize from file /etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++update request { sql_xlat expand: select zone_migration_enabled from sites where id='%{NAS-Identifier}' -> select zone_migration_enabled from sites where id='90-3A-72-15-25-1D' rlm_sql (sql_instance2): Reserving sql socket id: 2 SQL query did not return any results rlm_sql (sql_instance2): Released sql socket id: 2 expand: %{sql_instance2: select zone_migration_enabled from sites where id='%{NAS-Identifier}'} -> ... expanding second conditional expand: %{%{sql_instance2: select zone_migration_enabled from sites where id='%{NAS-Identifier}'}:-0} -> 0 ++} # update request = noop ++? if (("%{Called-Station-Id}" =~ /^00-50-E8-/ || "%{Called-Station-Id}" =~ /^20-4C-03-/ )&& Tmp-String-2 == '1') expand: %{Called-Station-Id} -> 90-3A-72-15-25-1D:CVGNE_W1 ?? Evaluating ("%{Called-Station-Id}" =~ /^00-50-E8-/) -> FALSE expand: %{Called-Station-Id} -> 90-3A-72-15-25-1D:CVGNE_W1 ?? Evaluating ("%{Called-Station-Id}" =~ /^20-4C-03-/) -> FALSE ? Skipping (Tmp-String-2 == '1') ++? if (("%{Called-Station-Id}" =~ /^00-50-E8-/ || "%{Called-Station-Id}" =~ /^20-4C-03-/ )&& Tmp-String-2 == '1') -> FALSE ++[chap] = noop ++[mschap] = noop [suffix] No '@' in User-Name = "jerry", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 8 length 95 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020800401a0208003b31197eb5bbc69b47c5363805196ff71ff700000000000000008a49a9ade98c47831f6c39043311438b1a56945caec5a5f5006a65727279 server { [peap] Setting User-Name to jerry Sending tunneled request EAP-Message = 0x020800401a0208003b31197eb5bbc69b47c5363805196ff71ff700000000000000008a49a9ade98c47831f6c39043311438b1a56945caec5a5f5006a65727279 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "jerry" State = 0x2b16a6c52b1ebc1c6619c5138158b3f7 server inner-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel +group authorize { ++[chap] = noop ++[mschap] = noop [suffix] No '@' in User-Name = "jerry", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop ++update control { ++} # update control = noop [eap] EAP packet type response id 8 length 64 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop ++[expiration] = noop ++[logintime] = noop ++[pap] = noop +} # group authorize = updated WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not exist! Cancelling invalid proxy request. Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +group authenticate { [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel [mschapv2] +group MS-CHAP { [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: jerry [mschap] Client is using MS-CHAPv2 for jerry, we need NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] = reject +} # group MS-CHAP = reject [eap] Freeing handler ++[eap] = reject +} # group authenticate = reject Failed to authenticate the user. expand: %{NAS-IP-Address} -> Login incorrect: [jerry/<via Auth-Type = EAP>] (from client Office port 0 via TLS tunnel) Using Post-Auth-Type REJECT # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> jerry attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\010E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code Access-Reject MS-CHAP-Error = "\010E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 97 to 146.115.19.180 port 50987 EAP-Message = 0x0109002e1900170303002334c44a5ec04ae1317ed894226db68ba139a09ceb0517c705c20507823d7bb4bc4a05c6 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x957bdc849d72c5bfd96a2d7f79095e2d Proxy-State = 0x3636 Finished request 214. Many thanks! -- Jim