Hi all, I am trying to narrow down this EAP-MD5 802.1x authentication for the last week and I unable to find exactly what the problem is. Can you please provide some pointers from the following logs on what could be the problem? What group auth it is expecting? Is it the user group in /etc/passwd file? I have put the user XXXX in the rad_users file along with Cleartext-Password as it was complaining that user needs to have Cleartext-Password. Thanks ash-4.3# /var/packages/RadiusServer/target/sbin/radiusd -X radiusd: FreeRADIUS Version 2.2.9 (git #e4cc22f), for host armle-unknown-linux-gnu, built on Aug 17 2016 at 14:40:46 Copyright (C) 1999-2015 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. Starting - reading configuration files ... including configuration file /var/packages/RadiusServer/tar get/etc/raddb/radiusd.conf including configuration file /usr/local/synoradius/rad_listen including configuration file /usr/local/synoradius/rad_port_auth including configuration file /usr/local/synoradius/rad_port_auth including configuration file /var/packages/RadiusServer/tar get/etc/raddb/clients.conf including configuration file /usr/local/synoradius/rad_clients including files in directory /var/packages/RadiusServer/tar get/etc/raddb/modules/ including configuration file /var/packages/RadiusServer/tar get/etc/raddb/modules/ippool including configuration file /var/packages/RadiusServer/tar get/etc/raddb/modules/replicate including configuration file /var/packages/RadiusServer/tar get/etc/raddb/modules/mschap including configuration file /var/packages/RadiusServer/tar get/etc/raddb/modules/policy including configuration file /var/packages/RadiusServer/tar get/etc/raddb/modules/linelog including configuration file /var/packages/RadiusServer/tar get/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /var/packages/RadiusServer/tar get/etc/raddb/modules/detail including configuration file /var/packages/RadiusServer/tar get/etc/raddb/modules/attr_rewrite including configuration file /var/packages/RadiusServer/tar get/etc/raddb/modules/cache including configuration file /var/packages/RadiusServer/tar get/etc/raddb/modules/smsotp including configuration file /var/packages/RadiusServer/tar get/etc/raddb/modules/sql_log including configuration file /var/packages/RadiusServer/tar get/etc/raddb/modules/wimax including configuration file /var/packages/RadiusServer/tar get/etc/raddb/modules/echo including configuration file /var/packages/RadiusServer/tar get/etc/raddb/modules/logintime including configuration file /var/packages/RadiusServer/tar get/etc/raddb/modules/perl including configuration file /var/packages/RadiusServer/tar get/etc/raddb/modules/expiration including configuration file /var/packages/RadiusServer/tar get/etc/raddb/modules/rediswho including configuration file /var/packages/RadiusServer/tar get/etc/raddb/modules/inner-eap including configuration file /var/packages/RadiusServer/tar get/etc/raddb/modules/opendirectory including configuration file /var/packages/RadiusServer/tar get/etc/raddb/modules/exec including configuration file /var/packages/RadiusServer/tar get/etc/raddb/modules/sradutmp including configuration file /var/packages/RadiusServer/tar get/etc/raddb/modules/pap including configuration file /var/packages/RadiusServer/tar get/etc/raddb/modules/unix including configuration file /var/packages/RadiusServer/tar get/etc/raddb/modules/checkval including configuration file /var/packages/RadiusServer/tar get/etc/raddb/modules/passwd including configuration file /var/packages/RadiusServer/tar get/etc/raddb/modules/mac2ip including configuration file /var/packages/RadiusServer/tar get/etc/raddb/modules/detail.example.com including configuration file /var/packages/RadiusServer/tar get/etc/raddb/modules/otp including configuration file /var/packages/RadiusServer/tar get/etc/raddb/modules/soh including configuration file /var/packages/RadiusServer/tar get/etc/raddb/modules/counter including configuration file /var/packages/RadiusServer/tar get/etc/raddb/modules/preprocess including configuration file /var/packages/RadiusServer/tar get/etc/raddb/modules/chap including configuration file /var/packages/RadiusServer/tar get/etc/raddb/modules/realm including configuration file /var/packages/RadiusServer/tar get/etc/raddb/modules/krb5 including configuration file /var/packages/RadiusServer/tar get/etc/raddb/modules/redis including configuration file /var/packages/RadiusServer/tar get/etc/raddb/modules/files including configuration file /var/packages/RadiusServer/tar get/etc/raddb/modules/attr_filter including configuration file /var/packages/RadiusServer/tar get/etc/raddb/modules/acct_unique including configuration file /var/packages/RadiusServer/tar get/etc/raddb/modules/detail.log including configuration file /var/packages/RadiusServer/tar get/etc/raddb/modules/synorad including configuration file /usr/local/synoradius/synoconf including configuration file /var/packages/RadiusServer/tar get/etc/raddb/modules/digest including configuration file /var/packages/RadiusServer/tar get/etc/raddb/modules/etc_group including configuration file /var/packages/RadiusServer/tar get/etc/raddb/modules/mschap_ad including configuration file /var/packages/RadiusServer/tar get/etc/raddb/modules/expr including configuration file /var/packages/RadiusServer/tar get/etc/raddb/modules/cui including configuration file /var/packages/RadiusServer/tar get/etc/raddb/modules/dynamic_clients including configuration file /var/packages/RadiusServer/tar get/etc/raddb/modules/smbpasswd including configuration file /var/packages/RadiusServer/tar get/etc/raddb/modules/always including configuration file /var/packages/RadiusServer/tar get/etc/raddb/modules/radutmp including configuration file /var/packages/RadiusServer/tar get/etc/raddb/modules/ldap including configuration file /usr/local/synoradius/rad_ldap including configuration file /var/packages/RadiusServer/tar get/etc/raddb/modules/pam including configuration file /var/packages/RadiusServer/tar get/etc/raddb/modules/dhcp_sqlippool including configuration file /var/packages/RadiusServer/tar get/etc/raddb/sql/mysql/ippool-dhcp.conf including configuration file /var/packages/RadiusServer/tar get/etc/raddb/modules/ntlm_auth including configuration file /usr/local/synoradius/rad_ntlm_auth including configuration file /var/packages/RadiusServer/tar get/etc/raddb/modules/mac2vlan including configuration file /var/packages/RadiusServer/tar get/etc/raddb/modules/radrelay including configuration file /var/packages/RadiusServer/tar get/etc/raddb/eap.conf including configuration file /usr/local/synoradius/rad_ca_cert including configuration file /var/packages/RadiusServer/tar get/etc/raddb/policy.conf including files in directory /var/packages/RadiusServer/tar get/etc/raddb/sites-enabled/ including configuration file /var/packages/RadiusServer/tar get/etc/raddb/sites-enabled/inner-tunnel including configuration file /usr/local/synoradius/rad_site_inn including configuration file /usr/local/synoradius/rad_site_inn_local including configuration file /usr/local/synoradius/rad_port_inner including configuration file /var/packages/RadiusServer/tar get/etc/raddb/sites-enabled/default including configuration file /usr/local/synoradius/rad_site_def including configuration file /usr/local/synoradius/rad_site_def_local including configuration file /var/packages/RadiusServer/tar get/etc/raddb/sites-enabled/control-socket main { allow_core_dumps = no } including dictionary file /var/packages/RadiusServer/tar get/etc/raddb/dictionary main { name = "radiusd" prefix = "/var/packages/RadiusServer/target/" localstatedir = "/var/packages/RadiusServer/target//var" sbindir = "/var/packages/RadiusServer/target//sbin" logdir = "/var/packages/RadiusServer/target//var/log/radius" run_dir = "/var/packages/RadiusServer/target//var/run/radiusd" libdir = "/var/packages/RadiusServer/target//lib" radacctdir = "/var/packages/RadiusServer/target//var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/packages/RadiusServer/target//var/run/radiusd/radiusd.pid" checkrad = "/var/packages/RadiusServer/target//sbin/checkrad" debug_level = 0 proxy_requests = no log { stripped_names = no auth = yes auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes allow_vulnerable_openssl = no } } radiusd: #### Loading Realms and Home Servers #### radiusd: #### Loading Clients #### client 192.168.2.0/24 { require_message_authenticator = no secret = "xxxxxxx" shortname = "xxxx" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /var/packages/RadiusServer/target/etc/raddb/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /var/packages/RadiusServer/target/etc/raddb/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /var/packages/RadiusServer/target/etc/raddb/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /var/packages/RadiusServer/target/etc/raddb/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { # from file /var/packages/RadiusServer/tar get/etc/raddb/radiusd.conf modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /var/packages/RadiusServer/tar get/etc/raddb/eap.conf eap { default_eap_type = "mschapv2" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/usr/local/etc/certificate/Ra diusServer/radiusd/privkey.pem" certificate_file = "/usr/local/etc/certificate/Ra diusServer/radiusd/fullchain.pem" private_key_password = "12345" dh_file = "/var/packages/RadiusServer/target/etc/raddb/certs/dh" random_file = "/var/packages/RadiusServer/target/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no check_all_crl = no cipher_list = "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256: ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384: DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE- ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA- AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA: ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE- RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE- RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES- CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA: AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256- SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS" ecdh_curve = "prime256v1" verify { } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /var/packages/RadiusServer/target/etc/raddb/modules/preprocess preprocess { huntgroups = "/var/packages/RadiusServer/target/etc/raddb/huntgroups" hints = "/var/packages/RadiusServer/target/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } reading pairlist file /var/packages/RadiusServer/target/etc/raddb/huntgroups reading pairlist file /var/packages/RadiusServer/target/etc/raddb/hints Module: Linked to module rlm_files Module: Instantiating module "files" from file /var/packages/RadiusServer/target/etc/raddb/modules/files files { usersfile = "/var/packages/RadiusServer/target/etc/raddb/users" acctusersfile = "/var/packages/RadiusServer/target/etc/raddb/acct_users" preproxy_usersfile = "/var/packages/RadiusServer/ta rget/etc/raddb/preproxy_users" compat = "no" } reading pairlist file /var/packages/RadiusServer/target/etc/raddb/users reading pairlist file /usr/local/synoradius/rad_users reading pairlist file /var/packages/RadiusServer/target/etc/raddb/acct_users reading pairlist file /var/packages/RadiusServer/tar get/etc/raddb/preproxy_users Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /var/packages/RadiusServer/target/etc/raddb/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port" } Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /var/packages/RadiusServer/target/etc/raddb/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /var/packages/RadiusServer/target/etc/raddb/modules/detail detail { detailfile = "/var/packages/RadiusServer/target//var/log/radius/radacct/% {%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no escape_filenames = no } Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /var/packages/RadiusServer/target/etc/raddb/modules/unix unix { radwtmp = "/var/packages/RadiusServer/target//var/log/radius/radwtmp" } Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /var/packages/RadiusServer/target/etc/raddb/modules/radutmp radutmp { filename = "/var/packages/RadiusServer/target//var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.accounting_response" from file /var/packages/RadiusServer/target/etc/raddb/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/var/packages/RadiusServer/target/etc/raddb/attrs.accountin g_response" key = "%{User-Name}" relaxed = no } reading pairlist file /var/packages/RadiusServer/tar get/etc/raddb/attrs.accounting_response Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating module "attr_filter.access_reject" from file /var/packages/RadiusServer/target/etc/raddb/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/var/packages/RadiusServer/target/etc/raddb/attrs.access_re ject" key = "%{User-Name}" relaxed = no } reading pairlist file /var/packages/RadiusServer/tar get/etc/raddb/attrs.access_reject } # modules } # server server inner-tunnel { # from file /usr/local/synoradius/rad_site_inn_local modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /var/packages/RadiusServer/tar get/etc/raddb/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /var/packages/RadiusServer/target/etc/raddb/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /var/packages/RadiusServer/target/etc/raddb/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes allow_retry = yes } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_passwd Module: Instantiating module "smbpasswd" from file /var/packages/RadiusServer/target/etc/raddb/modules/smbpasswd passwd smbpasswd { filename = "/etc/samba/private/smbpasswd" format = "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::" delimiter = ":" ignorenislike = no ignoreempty = yes allowmultiplekeys = no hashsize = 100 } rlm_passwd: nfields: 7 keyfield 0(User-Name) listable: no Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = 127.0.0.1 port = 1812 } listen { type = "auth" ipaddr = 192.168.2.3 port = 1812 } listen { type = "control" listen { socket = "/var/packages/RadiusServer/target//var/run/radiusd/radiusd.sock" } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on authentication address 127.0.0.1 port 1812 Listening on authentication address 192.168.2.3 port 1812 Listening on command file /var/packages/RadiusServer/tar get//var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Ready to process requests. rad_recv: Access-Request packet from host 192.168.2.170 port 6103, id=2, length=145 User-Name = "xxxx" NAS-IP-Address = 192.168.2.170 NAS-Identifier = "Intelligent Switch" NAS-Port = 1 Service-Type = Framed-User Called-Station-Id = "xx-xx-xx-xx-xx-xx" Calling-Station-Id = "xx-xx-xx-xx-xx-xx" Framed-MTU = 1300 NAS-Port-Type = Ethernet EAP-Message = 0x02ab000a017377616d69 Message-Authenticator = 0xc991c984fab9c5cf0161004eea7f75d2 # Executing section authorize from file /usr/local/synoradius/rad_site _def_local +group authorize { ++[preprocess] = ok [eap] EAP packet type response id 171 length 10 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry xxxx at line 4 ++[files] = ok ++[expiration] = noop ++[logintime] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /usr/local/synoradius/rad_site_def_local +group authenticate { [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 2 to 192.168.2.170 port 6103 EAP-Message = 0x01ac001f1a01ac001a10e9e1c078ad05caca313100efcdba9780737761 6d69 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x973167ca979d7d7672b64682fa1c6552 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.2.170 port 6103, id=4, length=139 User-Name = "xxxx" NAS-IP-Address = 192.168.2.170 NAS-Port = 1 Called-Station-Id = "xx-xx-xx-xx-xx-xx" Calling-Station-Id = "xx-xx-xx-xx-xx-xx" Framed-MTU = 1300 Service-Type = Framed-User NAS-Port-Type = Ethernet State = 0x973167ca979d7d7672b64682fa1c6552 EAP-Message = 0x02ac00060304 Message-Authenticator = 0x7ea32f868e5b2e8165614aaac0ed8338 # Executing section authorize from file /usr/local/synoradius/rad_site _def_local +group authorize { ++[preprocess] = ok [eap] EAP packet type response id 172 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry xxxx at line 4 ++[files] = ok ++[expiration] = noop ++[logintime] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /usr/local/synoradius/rad_site_def_local +group authenticate { [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/md5 [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 4 to 192.168.2.170 port 6103 EAP-Message = 0x01ad00160410fb47bcf981e68c462d0dc9670e427f8c Message-Authenticator = 0x00000000000000000000000000000000 State = 0x973167ca969c637672b64682fa1c6552 Finished request 1. Going to the next request Waking up in 4.0 seconds. rad_recv: Access-Request packet from host 192.168.2.170 port 6103, id=6, length=155 User-Name = "xxxx" NAS-IP-Address = 192.168.2.170 NAS-Port = 1 Called-Station-Id = "xx-xx-xx-xx-xx-xx" Calling-Station-Id = "xx-xx-xx-xx-xx-xx" Framed-MTU = 1300 Service-Type = Framed-User NAS-Port-Type = Ethernet State = 0x973167ca969c637672b64682fa1c6552 EAP-Message = 0x02ad00160410f0f526bf8df80c013258a2952d03d8f0 Message-Authenticator = 0xb82937c382730e9d6582f7a456f13eb3 # Executing section authorize from file /usr/local/synoradius/rad_site _def_local +group authorize { ++[preprocess] = ok [eap] EAP packet type response id 173 length 22 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry xxxx at line 4 ++[files] = ok ++[expiration] = noop ++[logintime] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /usr/local/synoradius/rad_site_def_local +group authenticate { [eap] Request found, released from the list [eap] EAP/md5 [eap] processing type md5 [eap] Freeing handler ++[eap] = reject +} # group authenticate = reject Failed to authenticate the user. Login incorrect: [xxxx] (from client xxxx port 1 cli xx-xx-xx-xx-xx-xx) Using Post-Auth-Type Reject # Executing group from file /usr/local/synoradius/rad_site_def_local +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> xxxx attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 2 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 2 Sending Access-Reject of id 6 to 192.168.2.170 port 6103 EAP-Message = 0x04ad0004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 2.0 seconds. Cleaning up request 0 ID 2 with timestamp +32 Waking up in 0.9 seconds. Cleaning up request 1 ID 4 with timestamp +33 Waking up in 1.9 seconds. Cleaning up request 2 ID 6 with timestamp +34 Ready to process requests.