Hi there, this is my first post on the list and It's always a shame to start with a problem :) . I woul like to implement a freeradius authentication server that uses openldap as backend and supports both pap authentication (for the VPN client) and eap -ttls pap for the wi-fi lan. I think I've successfullyconfigured freeradius for the pap authentication with openldap since the radtest returns ok. In the ldap module I've also enabled the groupcheck since in my company they want to restrict vpn access through ldap group membership. This works great. To to this I've removed the comment from the groupcheck and added to the user file thinks like this: 188:DEFAULT LDAP-Group=="vpntest" 189: Reply-Message="Test per VPN", 190: Class="vpntest", 191: Fall-Through = Yes is this ugly? My company does not want to add radiuschema to the users. Ok now just forget for the small OT and let's focus on the real problem. These are the configs: root@ldap:/etc/freeradius# egrep -v '(#|^\s*$)' modules/ldap ldap { server = "test-ldap.newenergygroup.com" identity = "cn=admin,dc=newenergygroup,dc=com" password = XXXXXXXXX basedn = "dc=newenergygroup,dc=com" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" password_attribute = userPassword ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no groupname_attribute = cn groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))" groupmembership_attribute = radiusGroupName } egrep -v '(#|^\s*$)' sites-enabled/default authorize { preprocess chap mschap suffix eap { ok = return } files ldap expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix Auth-Type LDAP { ldap } root@ldap:/etc/freeradius# egrep -v '(#|^\s*$)' eap.conf eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 md5 { } leap { } gtc { auth_type = PAP } tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = whatever private_key_file = ${certdir}/server.key certificate_file = ${certdir}/server.pem CA_file = ${cadir}/ca.pem dh_file = ${certdir}/dh random_file = ${certdir}/random cipher_list = "DEFAULT" make_cert_command = "${certdir}/bootstrap" cache { enable = no max_entries = 255 } } ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } peap { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } mschapv2 { } } I'm testing the eap eapol_test -c eap_pool_test_config -a 127.0.0.1 -p 1812 -s testing123 -r1 and the config is: network={ eap=TTLS ssid="example" eapol_flags=0 key_mgmt=WPA-EAP identity="atest" password="atest" #ca_cert="/etc/freeradius/certs/ccaa.pem" phase2="auth=PAP" } the debug from radius is: rad_recv: Access-Request packet from host 127.0.0.1 port 33653, id=0, length=118 User-Name = "atest" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0200000a016174657374 Message-Authenticator = 0xf57a3eb5217b5475fcd4acf2ab929c6c +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "atest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 10 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [ldap] Entering ldap_groupcmp() [files] expand: dc=newenergygroup,dc=com -> dc=newenergygroup,dc=com [files] expand: %{Stripped-User-Name} -> [files] ... expanding second conditional [files] expand: %{User-Name} -> atest [files] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=atest) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to test-ldap.newenergygroup.com:389, authentication 0 [ldap] bind as cn=admin,dc=newenergygroup,dc=com/Ld4pPa$$w0rD to test-ldap.newenergygroup.com:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in dc=newenergygroup,dc=com, with filter (uid=atest) [ldap] ldap_release_conn: Release Id: 0 [files] expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=uid\3datest\2cou\3dpeople\2cdc\3dnewenergygroup\2cdc\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3datest\2cou\3dpeople\2cdc\3dnewenergygroup\2cdc\3dcom))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=newenergygroup,dc=com, with filter (&(cn=vpnfullaccess)(|(&(objectClass=GroupOfNames)(member=uid\3datest\2cou\3dpeople\2cdc\3dnewenergygroup\2cdc\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3datest\2cou\3dpeople\2cdc\3dnewenergygroup\2cdc\3dcom)))) [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in uid=atest,ou=people,dc=newenergygroup,dc=com, with filter (objectclass=*) rlm_ldap::ldap_groupcmp: ldap_get_values() failed [ldap] ldap_release_conn: Release Id: 0 [ldap] Entering ldap_groupcmp() [files] expand: dc=newenergygroup,dc=com -> dc=newenergygroup,dc=com [files] expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=uid\3datest\2cou\3dpeople\2cdc\3dnewenergygroup\2cdc\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3datest\2cou\3dpeople\2cdc\3dnewenergygroup\2cdc\3dcom))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=newenergygroup,dc=com, with filter (&(cn=vpnlowaccess)(|(&(objectClass=GroupOfNames)(member=uid\3datest\2cou\3dpeople\2cdc\3dnewenergygroup\2cdc\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3datest\2cou\3dpeople\2cdc\3dnewenergygroup\2cdc\3dcom)))) [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in uid=atest,ou=people,dc=newenergygroup,dc=com, with filter (objectclass=*) rlm_ldap::ldap_groupcmp: ldap_get_values() failed [ldap] ldap_release_conn: Release Id: 0 [ldap] Entering ldap_groupcmp() [files] expand: dc=newenergygroup,dc=com -> dc=newenergygroup,dc=com [files] expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=uid\3datest\2cou\3dpeople\2cdc\3dnewenergygroup\2cdc\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3datest\2cou\3dpeople\2cdc\3dnewenergygroup\2cdc\3dcom))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=newenergygroup,dc=com, with filter (&(cn=vpntest)(|(&(objectClass=GroupOfNames)(member=uid\3datest\2cou\3dpeople\2cdc\3dnewenergygroup\2cdc\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3datest\2cou\3dpeople\2cdc\3dnewenergygroup\2cdc\3dcom)))) [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in uid=atest,ou=people,dc=newenergygroup,dc=com, with filter (objectclass=*) rlm_ldap::ldap_groupcmp: ldap_get_values() failed [ldap] ldap_release_conn: Release Id: 0 [ldap] Entering ldap_groupcmp() [files] expand: dc=newenergygroup,dc=com -> dc=newenergygroup,dc=com [files] expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=uid\3datest\2cou\3dpeople\2cdc\3dnewenergygroup\2cdc\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3datest\2cou\3dpeople\2cdc\3dnewenergygroup\2cdc\3dcom))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=newenergygroup,dc=com, with filter (&(cn=vpntestadmin)(|(&(objectClass=GroupOfNames)(member=uid\3datest\2cou\3dpeople\2cdc\3dnewenergygroup\2cdc\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3datest\2cou\3dpeople\2cdc\3dnewenergygroup\2cdc\3dcom)))) rlm_ldap::ldap_groupcmp: User found in group vpntestadmin [ldap] ldap_release_conn: Release Id: 0 [files] users: Matched entry DEFAULT at line 193 ++[files] returns ok [ldap] performing user authorization for atest [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> atest [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=atest) [ldap] expand: dc=newenergygroup,dc=com -> dc=newenergygroup,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=newenergygroup,dc=com, with filter (uid=atest) [ldap] Added User-Password = {MD5}tQzXLan1f4v2iAMD/1t2Ig== in check items [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] user atest authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = LDAP +- entering group LDAP {...} [ldap] Attribute "User-Password" is required for authentication. You seem to have set "Auth-Type := LDAP" somewhere. THAT CONFIGURATION IS WRONG. DELETE IT. YOU ARE PREVENTING THE SERVER FROM WORKING PROPERLY. ++[ldap] returns invalid Failed to authenticate the user. Login incorrect: [atest] (from client localhost port 0 cli 02-00-00-00-00-01) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> atest attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 0 to 127.0.0.1 port 33653 Reply-Message = "Test per VPN ADMIN" Waking up in 4.9 seconds. Cleaning up request 0 ID 0 with timestamp +23 Ready to process requests. Thank you :), hope I'm not missing somithing stupid, I've read a lot of documentation here and there. ps. password on the LDAP are stored in hash form.