Hi, i prepare freeradius with eap/peap and the users file that works fine. Now i setup a sql database, i can use radtest or radeapclient to check the user and password in the database and it works fine, but if i try to connect to freeradius the request will be rejected and i have no idea why So if you can give me some hints you are welcome... here the reject: PEAP: Tunneled authentication was rejected. here the total debug log: rad_recv: Access-Request packet from host 192.168.0.50 port 1037, id=0, length=194 Message-Authenticator = 0x6462a3c080bc0ee0af1d99a080b2d335 Service-Type = Framed-User User-Name = "sqluser" Framed-MTU = 1488 Called-Station-Id = "F0-7D-68-17-D4-39:dlink" Calling-Station-Id = "00-18-DE-E1-85-89" NAS-Identifier = "D-Link Access Point" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0200000c0173716c75736572 NAS-IP-Address = 192.168.0.50 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "sqluser", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 0 length 12 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop expand: %{User-Name} -> sqluser rlm_sql (sql): sql_set_user escaped user --> 'sqluser' rlm_sql (sql): Reserving sql socket id: 3 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'sqluser' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'sqluser' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'sqluser' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'sqluser' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'sqluser' ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = 'sqluser' ORDER BY priority rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.0.50 port 1037 EAP-Message = 0x01010016041056977865b8f38f672c99a5c049338698 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xeff176eaeff0727198f0e801bd7f42f1 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.50 port 1037, id=1, length=206 Message-Authenticator = 0x97148f06ecd1d47d289947214042b441 Service-Type = Framed-User User-Name = "sqluser" Framed-MTU = 1488 State = 0xeff176eaeff0727198f0e801bd7f42f1 Called-Station-Id = "F0-7D-68-17-D4-39:dlink" Calling-Station-Id = "00-18-DE-E1-85-89" NAS-Identifier = "D-Link Access Point" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020100060319 NAS-IP-Address = 192.168.0.50 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "sqluser", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 1 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop expand: %{User-Name} -> sqluser rlm_sql (sql): sql_set_user escaped user --> 'sqluser' rlm_sql (sql): Reserving sql socket id: 2 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'sqluser' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'sqluser' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'sqluser' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'sqluser' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'sqluser' ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = 'sqluser' ORDER BY priority rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/peap rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 1 to 192.168.0.50 port 1037 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xeff176eaeef36f7198f0e801bd7f42f1 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.50 port 1037, id=2, length=337 Message-Authenticator = 0xf06fbed85cd7d6f9a7b00bc67df6ba87 Service-Type = Framed-User User-Name = "sqluser" Framed-MTU = 1488 State = 0xeff176eaeef36f7198f0e801bd7f42f1 Called-Station-Id = "F0-7D-68-17-D4-39:dlink" Calling-Station-Id = "00-18-DE-E1-85-89" NAS-Identifier = "D-Link Access Point" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020200891900160301007e0100007a03014d41cf9c8c7503cfc4ac02ba74ce4c6a5b185d8c7ea7574f4d7b354e60026c0a2067de91fbb878785f4a07 302074edf8ef6ade9886e8f9428ecc0d84247b18c57f003200390038003500880087008400160013000a00330032002f004500440041000500040015001200090014001100080006 0003020100 NAS-IP-Address = 192.168.0.50 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "sqluser", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 2 length 137 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 007e], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 085e], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange TLS_accept: SSLv3 write key exchange A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 2 to 192.168.0.50 port 1037 EAP-Message = 0x0103040019c000000acd160301004a0200004603014d41cf9cfaed3d7fc78c6ba9b7d8bb11c01eb9b4921e04d0548b69bb81a108ae208f4f020fcd8a efcbc4748614f56ca619187eda3b33f4ff255e018e100378c655003901160301085e0b00085a0008570003a6308203a23082028aa003020102020102300d06092a864886f70d0101 040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d70 6c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406035504 EAP-Message = 0x03131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3131303130373136323632365a170d323130313034313632 3632365a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578 616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d 01010105000382010f003082010a0282010100bc734f9d3049b9ad29649bf5685fc25a07bee2149b4c8e417e165b2c6ed9 EAP-Message = 0xe5fbb2cf2d0a9f44f6b8e8c89cafb2cbc4a9968c1803966929f10af48996cdd46fb425caaf0a19e2f8e7d46550c1c7bc89bf9e1e0811bf39a527b7e2 80028c227a2e97a47d618735b1797a7dfd7f169ba3404dee104b7269db1a4e452fd526d6af1afad3a1ed3a0e807811a133101dbfa4f6edaacbf096aaf7a8b4196ed49671a749cd7b 75d079c717a16903d7dfb57c523adaeeab99f651831ecb262b86d49ad10e05b8e2a112190e3ec6039a477f0ae70f7975bc59d1c62898f34ca0a2f42febd2cf5c46e4f080e4176261 58c0122d711e068d966fdfd6f4a95dffc8cc3ee1ce270203010001a317301530130603551d25040c300a06082b06010505 EAP-Message = 0x070301300d06092a864886f70d01010405000382010100877baa777876021f1268749453b9ab3513ad8b4c9f0ea68e6af12bb980d156a05a845392d0 0cc42a05f834dc6463ec2dbb990e68d890789fdfd5bf6897aa2ae6f03576f1cd412e5290e56b7024026aa5889095060b95b8305ae1d922dc6442d69f7ecfd82d01d8ac8407fe8b1e f6021d26aafc7d327eda89e48778c0e7c890284d78e4783b99a07907e0403156a023d08862471ed1b6cd6d506acc4e9e24b84112f3efdcdb76dbf63bdfeb749ea2faf5e8e67fbcd7 d7c1b179b9adfd97ad81eda2b68195ea19ad5e7c976e7eefecd16e45016ca70093732f101538df6deb4a0b28b0ac7816e5 EAP-Message = 0x3537f15a3e6d28557e50ced1 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xeff176eaedf26f7198f0e801bd7f42f1 Finished request 2. Going to the next request Waking up in 4.6 seconds. rad_recv: Access-Request packet from host 192.168.0.50 port 1037, id=3, length=206 Message-Authenticator = 0xc0236583fb6cc1eff4e3692386b05cd5 Service-Type = Framed-User User-Name = "sqluser" Framed-MTU = 1488 State = 0xeff176eaedf26f7198f0e801bd7f42f1 Called-Station-Id = "F0-7D-68-17-D4-39:dlink" Calling-Station-Id = "00-18-DE-E1-85-89" NAS-Identifier = "D-Link Access Point" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020300061900 NAS-IP-Address = 192.168.0.50 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "sqluser", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 3 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 3 to 192.168.0.50 port 1037 EAP-Message = 0x010403fc1940d76bf7348c65d017f49ee7a0e94f0004ab308204a73082038fa00302010202090088d6a04b914711cc300d06092a864886f70d010105 0500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c 6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c652043657274696669636174652041 7574686f72697479301e170d3131303130373136323632365a170d3131303230363136323632365a308193310b30090603 EAP-Message = 0x55040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d70 6c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520 417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100af5bebdfb1e9fb1e943de80e9f0acbf563d7ca009ec112a9b5979e0b779a 681debed0535d03ea8e16523453e72b1912e6e1dada0d72053ccc2d96d6c4be07bac43c12f5c5348cc2e99ca85a793ff57 EAP-Message = 0x41aedc3a0ea690141f3b58c130da1aaad2223c421d6634fc7ce836180dbc2ac9ab5bf52abde87d9dd3cec84d65a8c1321abf381d2023bed5ac595f84 af770efe04ddaa417234d4e8f68498e02d67c2a4fb28fe4d2bac043d983446d12187de441bc5a5df6d9465cdeff6fead18d1a9b7cc0d8562caccd62e70f66a0507d04b678d2aadd0 8be6e6978cdd0d1e1a095889fbb7d98f1802a4eb0d5489b85b90ac8821bc243cbd7f9843152af22ba66645e2510203010001a381fb3081f8301d0603551d0e041604147f436e8fc5 e6a6b8437022ae88b879dc095cd18c3081c80603551d230481c03081bd80147f436e8fc5e6a6b8437022ae88b879dc095c EAP-Message = 0xd18ca18199a48196308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d6577686572 6531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d457861 6d706c6520436572746966696361746520417574686f7269747982090088d6a04b914711cc300c0603551d13040530030101ff300d06092a864886f70d010105050003820101009e 4148e0bcfa4d3f6e5b607d864dad98650e482159aa8bb34b66c0c07fbf3e37c79cca55a2502a591cca0518411a47d0e296 EAP-Message = 0x70e0874d635f5cd3 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xeff176eaecf56f7198f0e801bd7f42f1 Finished request 3. Going to the next request Waking up in 4.6 seconds. rad_recv: Access-Request packet from host 192.168.0.50 port 1037, id=4, length=206 Message-Authenticator = 0x28863aba9a3b7269b75e881aada8a924 Service-Type = Framed-User User-Name = "sqluser" Framed-MTU = 1488 State = 0xeff176eaecf56f7198f0e801bd7f42f1 Called-Station-Id = "F0-7D-68-17-D4-39:dlink" Calling-Station-Id = "00-18-DE-E1-85-89" NAS-Identifier = "D-Link Access Point" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020400061900 NAS-IP-Address = 192.168.0.50 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "sqluser", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 4 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 4 to 192.168.0.50 port 1037 EAP-Message = 0x010502e71900d8166dc7b99a4e27a679b04388e1d246bbb52beea9dcdeb033f596c10e980bc0ab99d92b013ccd79bd1115bd76604da368170c434737 b2a722331a510ae27009b20cb5e6888b63eccd479eca9e394d58404b78b285e706ba026f7a13318965a5d8d4d1ceb679d3443b4e90f45ec1d6e83980f7f42ab5427402b449025a22 ae48ec63ac38974337165677b17b7dd589d716bd572add065073662ed1b6e656159049e6dada7066205e19c8c15baa2b85af112353df2f278813b6f55682ca273882b54876b8330c 160301020d0c0002090080fe5ee9d93c834c61b96c084a22ea6cdd00107bc59f9e391af41618125b59f81f241f831ea90c EAP-Message = 0x94a3627f3c424a82fbc20778144b62e9731fd7ef82c1fad8c33b82d29df918153c00834cdaeb332b03b1f4bbf40b7d2201f881e5f5accedc938bff2b f316465677806e17e69d7334aeb1e45ce13367c66f9283e675c998940f5300010200802a468d7356edf3171caef4c97454274ac86d38f3a0a87b9bd4dd05b2f9f36118342129453f 8cff65fb71b7bf4008e64ccc0b371902304eb6a58d86da4e5c9b84b49c89fe8a3deba167f623d5fa28a35cdd4b7bed3e85d29c0542384a59aac5095d098330f567e409b0f60cd657 802085b4d612d49b29cb869693f0efd6d1502c010053160d171ed2021760e5e4d39b4572f57dd58e5391524e95cf70e701 EAP-Message = 0x8c85fdc2598764461eb216d3f7c285f4a8bf91c8f475971ec5ea7314a6bc6a6b77ec3587172b1a4e27d41342aca759e13be98f3dc794eb542e7649cb 282e4e2d74fe7c8f7761da3ec1a5172b944a26cd65f6f75eb1663dc95350019be71b5411af14fc43361cc6a5965f7aa3d90483cbc1c2402ad0e09bff52db746fb56a4f66490c740c 9957c687258a2c81f8b3a80bcc8065939ef509e710161d438da1779763f6ba5b14db8d8ce577753ea592ac5402a0cec04b7626908692f718899fafe44b434a1ebcae72194c94a849 2e1e0b9b14354c23344f3b9bee005fecc3cd3da82dea5db316030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xeff176eaebf46f7198f0e801bd7f42f1 Finished request 4. Going to the next request Waking up in 4.6 seconds. rad_recv: Access-Request packet from host 192.168.0.50 port 1037, id=5, length=404 Message-Authenticator = 0x63c5e1ff1a1d9df1b0bbdad7714b8c9a Service-Type = Framed-User User-Name = "sqluser" Framed-MTU = 1488 State = 0xeff176eaebf46f7198f0e801bd7f42f1 Called-Station-Id = "F0-7D-68-17-D4-39:dlink" Calling-Station-Id = "00-18-DE-E1-85-89" NAS-Identifier = "D-Link Access Point" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020500cc19001603010086100000820080a5a12e9fb29344c07d155ed199dce1f532ec737a672c18187595b8a616d7006dddbfd6f9bb3460dafac218 b07e5ce0fa0bdf78bf0a2af0259a3fe1aa31c1f4297fc1a2df94ae090a7e9f4ff5296baae51ca8d7b99f98361e8f33943e8473d6c713461f26f8263a1effe2887e6e417e106522ae 35bf38844286cec0bdba5df74614030100010116030100301fcbd83169e23e468af5113d1eef78760b4ec6de5f4d18548159af3a0a914df0c65ac7493db98a95ff31816202441083 NAS-IP-Address = 192.168.0.50 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "sqluser", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 5 length 204 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 5 to 192.168.0.50 port 1037 EAP-Message = 0x010600411900140301000101160301003084f98267ce99a87e36417d12793cd01d1320e28f73eed0b310fe35e98fb08f638aa96e46f1173378a09936 14cba69952 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xeff176eaeaf76f7198f0e801bd7f42f1 Finished request 5. Going to the next request Waking up in 4.5 seconds. rad_recv: Access-Request packet from host 192.168.0.50 port 1037, id=6, length=206 Message-Authenticator = 0xbb693480b8c053732ac09c3354cddf7d Service-Type = Framed-User User-Name = "sqluser" Framed-MTU = 1488 State = 0xeff176eaeaf76f7198f0e801bd7f42f1 Called-Station-Id = "F0-7D-68-17-D4-39:dlink" Calling-Station-Id = "00-18-DE-E1-85-89" NAS-Identifier = "D-Link Access Point" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020600061900 NAS-IP-Address = 192.168.0.50 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "sqluser", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 6 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap_peap: EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 6 to 192.168.0.50 port 1037 EAP-Message = 0x0107002b19001703010020132e756d08ced7e45da425ed9248e8578c3988d758aeca13d08753171d6288fd Message-Authenticator = 0x00000000000000000000000000000000 State = 0xeff176eae9f66f7198f0e801bd7f42f1 Finished request 6. Going to the next request Waking up in 4.5 seconds. rad_recv: Access-Request packet from host 192.168.0.50 port 1037, id=7, length=296 Message-Authenticator = 0xa6e6a2d92ae86919ede0b3fbf1d3588a Service-Type = Framed-User User-Name = "sqluser" Framed-MTU = 1488 State = 0xeff176eae9f66f7198f0e801bd7f42f1 Called-Station-Id = "F0-7D-68-17-D4-39:dlink" Calling-Station-Id = "00-18-DE-E1-85-89" NAS-Identifier = "D-Link Access Point" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0207006019001703010020f23c5c5bff65e357c1d04750e77a02a3018ec1e29f452f8b40744b4a781f41a6170301003087cb3edea87d9ae896ee6a1b a1f110beaae1ac3fd3b15e17511bde8ee9f19afd54ef63376f466842f3662048ee5485f7 NAS-IP-Address = 192.168.0.50 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "sqluser", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 7 length 96 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - sqluser PEAP: Got tunneled EAP-Message EAP-Message = 0x0207000c0173716c75736572 PEAP: Got tunneled identity of sqluser PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to sqluser PEAP: Sending tunneled request EAP-Message = 0x0207000c0173716c75736572 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "sqluser" server inner-tunnel { +- entering group authorize ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound rlm_realm: No '@' in User-Name = "sqluser", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop ++[control] returns noop rlm_eap: EAP packet type response id 7 length 12 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel PEAP: Got tunneled reply RADIUS code 11 EAP-Message = 0x010800211a0108001c101b48646fa92543913807a5b05f32e72473716c75736572 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc0b632abc0be28c6482b7cb6c82ab8d2 PEAP: Processing from tunneled session code 0x81bd2b0 11 EAP-Message = 0x010800211a0108001c101b48646fa92543913807a5b05f32e72473716c75736572 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc0b632abc0be28c6482b7cb6c82ab8d2 PEAP: Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 7 to 192.168.0.50 port 1037 EAP-Message = 0x0108004b190017030100402003024634e4f8ec66529bbf55bbcbdf55e9b2de71df4307a92425182981824df1d671e2cc670be268bf621066d6d46388 0ac2ebe173ac6cf5d2ad2a927172c6 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xeff176eae8f96f7198f0e801bd7f42f1 Finished request 7. Going to the next request Waking up in 4.5 seconds. rad_recv: Access-Request packet from host 192.168.0.50 port 1037, id=8, length=344 Message-Authenticator = 0x6d830a81d5020493951deab84388b73b Service-Type = Framed-User User-Name = "sqluser" Framed-MTU = 1488 State = 0xeff176eae8f96f7198f0e801bd7f42f1 Called-Station-Id = "F0-7D-68-17-D4-39:dlink" Calling-Station-Id = "00-18-DE-E1-85-89" NAS-Identifier = "D-Link Access Point" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0208009019001703010020fd154ad5033bc10deb9affe6269fbb4e011fb48b4955855c6d1a6cb884edc9fb1703010060325cf7f4956a0f450c4124d0 eadcfc46b3f7346bd768d367985c39b79d8ade99e37783cb5ddc062e795602cd3b965a3cc446365ea8cd6fc1dd7c98a6d11921c9018c77621c798adbbe1711e4100e3e341de47b09 28105cb056ea7dcf93e5ad68 NAS-IP-Address = 192.168.0.50 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "sqluser", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 8 length 144 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 PEAP: Got tunneled EAP-Message EAP-Message = 0x020800421a0208003d31d8329bd18d2b3c48b3e9dcd414628b6a000000000000000025c5f8448290bf0b3b376400dc3862cc7a50e4bc5f7583e20073 716c75736572 PEAP: Setting User-Name to sqluser PEAP: Sending tunneled request EAP-Message = 0x020800421a0208003d31d8329bd18d2b3c48b3e9dcd414628b6a000000000000000025c5f8448290bf0b3b376400dc3862cc7a50e4bc5f7583e20073 716c75736572 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "sqluser" State = 0xc0b632abc0be28c6482b7cb6c82ab8d2 server inner-tunnel { +- entering group authorize ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound rlm_realm: No '@' in User-Name = "sqluser", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop ++[control] returns noop rlm_eap: EAP packet type response id 8 length 66 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for sqluser with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject rlm_eap: Freeing handler ++[eap] returns reject auth: Failed to validate the user. Login incorrect: [sqluser/<via Auth-Type = EAP>] (from client dlink-private-network port 0 via TLS tunnel) } # server inner-tunnel PEAP: Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\010E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Processing from tunneled session code 0x81bd288 3 MS-CHAP-Error = "\010E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE ++[eap] returns handled Sending Access-Challenge of id 8 to 192.168.0.50 port 1037 EAP-Message = 0x0109003b1900170301003034751d74d2db85e76a4a09990bc079aabf886c33adbae4de36aa4b998d1437564e312ceb4f3ef2e602a0ec1b74c34c8b Message-Authenticator = 0x00000000000000000000000000000000 State = 0xeff176eae7f86f7198f0e801bd7f42f1 Finished request 8. Going to the next request Waking up in 4.5 seconds. rad_recv: Access-Request packet from host 192.168.0.50 port 1037, id=9, length=296 Message-Authenticator = 0xcf9f988ac3da6a9784a700bd6e8bd235 Service-Type = Framed-User User-Name = "sqluser" Framed-MTU = 1488 State = 0xeff176eae7f86f7198f0e801bd7f42f1 Called-Station-Id = "F0-7D-68-17-D4-39:dlink" Calling-Station-Id = "00-18-DE-E1-85-89" NAS-Identifier = "D-Link Access Point" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0209006019001703010020b4f42681cb8004c329ba3e6eb3f20af6ab64a075776fd142c83e827add1a8e531703010030f9a9c64a35e6e5b5327b4c2e 91499e1a3897f2202d67ff4db4b2e03510edaa39019a712075a32f6ef78368edcc2e3bb6 NAS-IP-Address = 192.168.0.50 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "sqluser", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 9 length 96 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Had sent TLV failure. User was rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select ++[eap] returns invalid auth: Failed to validate the user. Login incorrect: [sqluser/<via Auth-Type = EAP>] (from client dlink-private-network port 1 cli 00-18-DE-E1-85-89) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> sqluser attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 9 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 9 Sending Access-Reject of id 9 to 192.168.0.50 port 1037 EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.4 seconds. Cleaning up request 0 ID 0 with timestamp +24 Cleaning up request 1 ID 1 with timestamp +24 Waking up in 0.3 seconds. Cleaning up request 2 ID 2 with timestamp +24 Cleaning up request 3 ID 3 with timestamp +24 Cleaning up request 4 ID 4 with timestamp +24 Waking up in 0.1 seconds. Cleaning up request 5 ID 5 with timestamp +24 Cleaning up request 6 ID 6 with timestamp +24 Cleaning up request 7 ID 7 with timestamp +24 Cleaning up request 8 ID 8 with timestamp +24 Waking up in 1.0 seconds. Cleaning up request 9 ID 9 with timestamp +24 Ready to process requests. Tell me if you need more information thx Chris -- View this message in context: http://freeradius.1045715.n5.nabble.com/Freeradius-SQL-PEAP-Tunneled-authent... Sent from the FreeRadius - User mailing list archive at Nabble.com.