Quoting Alan DeKok <aland@deployingradius.com>:
You can't use PAM and EAP-MD5 together. It's impossible.
That sounds like important information! To turn off EAP, I commented out all of the lines related to EAP in /etc/freeradius/sites-enabled/default and in /etc/freeradius/sites-enabled/inner-tunnel. Unfortunately, the result is still the same, but freeradius' debug output has changed significantly: ================================================== ... rad_recv: Access-Request packet from host 192.168.2.2 port 1028, id=0, length=127 User-Name = "jwinius" NAS-IP-Address = 192.168.2.2 Called-Station-Id = "0014bf72f676" Calling-Station-Id = "00110a81fb2b" NAS-Identifier = "0014bf72f676" NAS-Port = 17 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0200000c016a77696e697573 Message-Authenticator = 0x0695dc9b4d3f16a1fd94a9be695eb90d # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "jwinius", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [files] users: Matched entry DEFAULT at line 211 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = PAM # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} rlm_pam: Attribute "User-Password" is required for authentication. ++[pam] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> jwinius attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 0 to 192.168.2.2 port 1028 ... ================================================== Still no activity ion /var/log/auth.log. Cheers, Jaap