Hi, I'm pretty stuck in a radius/ldap 802.1x authentication. During the authentication process the client (windows 2k through a e1 switch) sends the authentication using MD5-Challenge which is for what I understand the easiest of all. The FreeRadius server recevies everything but failed to authenticate the user. Here is the output rad_recv: Access-Request packet from host 192.168.1.200:1056, id=37, length=96 Message-Authenticator = 0xf44b1f115e9f9aa7d8026af7916c954f User-Name = "gab" NAS-IP-Address = 192.168.1.200 NAS-Port = 32 NAS-Port-Type = Ethernet Calling-Station-Id = "00-E0-29-38-72-DB" EAP-Message = 0x0240000801676162 Framed-MTU = 1000 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for gab radius_xlat: '(uid=gab)' radius_xlat: 'ou=radius, dc=fr' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to galilee.mind-techno.fr:389, authentication 0 rlm_ldap: bind as cn=emanager,ou=radius,dc=fr/socrate2803 to galilee.mind-techno.fr:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=radius, dc=fr, with filter (uid=gab) rlm_ldap: checking if remote access for gab is allowed by radiusFilterId rlm_ldap: Added password {MD5}mmGCSLZNti0VswCgewBYCw== in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding userPassword as User-Password, value { & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusFilterId as Filter-Id, value Enterasys:version=1:policy=Enterprise User & op=11 rlm_ldap: user gab authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 rlm_eap: EAP packet type response id 64 length 8 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 37 to 192.168.1.200:1056 Filter-Id = "Enterasys:version=1:policy=Enterprise User" EAP-Message = 0x014100160410f863dc8a4ae21123368575c7ac478f42 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0d1c294f270f623665d377ff9b34eb92 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.200:1057, id=38, length=96 Message-Authenticator = 0x5c5c8803ec4b135afc57ba4443c8f64f User-Name = "gab" NAS-IP-Address = 192.168.1.200 NAS-Port = 32 NAS-Port-Type = Ethernet Calling-Station-Id = "00-E0-29-38-72-DB" EAP-Message = 0x0242000801676162 Framed-MTU = 1000 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for gab radius_xlat: '(uid=gab)' radius_xlat: 'ou=radius, dc=fr' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=radius, dc=fr, with filter (uid=gab) rlm_ldap: checking if remote access for gab is allowed by radiusFilterId rlm_ldap: Added password {MD5}mmGCSLZNti0VswCgewBYCw== in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding userPassword as User-Password, value { & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusFilterId as Filter-Id, value Enterasys:version=1:policy=Enterprise User & op=11 rlm_ldap: user gab authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 1 rlm_eap: EAP packet type response id 66 length 8 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 1 modcall: group authenticate returns handled for request 1 Sending Access-Challenge of id 38 to 192.168.1.200:1057 Filter-Id = "Enterasys:version=1:policy=Enterprise User" EAP-Message = 0x014300160410537c01ae485e80e5e60a42ebe253c954 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x924e905b561231069339383faf04ce3b Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Request packet from host 192.168.1.200:1057, id=39, length=128 Message-Authenticator = 0x1419a4cc9ce6110c3899d7e1b6e16e96 User-Name = "gab" State = 0x924e905b561231069339383faf04ce3b NAS-IP-Address = 192.168.1.200 NAS-Port = 32 NAS-Port-Type = Ethernet Calling-Station-Id = "00-E0-29-38-72-DB" Framed-MTU = 1000 EAP-Message = 0x024300160410e2a54a8018106d1354e86a78906ab7b9 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 rlm_ldap: - authorize rlm_ldap: performing user authorization for gab radius_xlat: '(uid=gab)' radius_xlat: 'ou=radius, dc=fr' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=radius, dc=fr, with filter (uid=gab) rlm_ldap: checking if remote access for gab is allowed by radiusFilterId rlm_ldap: Added password {MD5}mmGCSLZNti0VswCgewBYCw== in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding userPassword as User-Password, value { & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusFilterId as Filter-Id, value Enterasys:version=1:policy=Enterprise User & op=11 rlm_ldap: user gab authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 2 rlm_eap: EAP packet type response id 67 length 22 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 modcall: group authorize returns updated for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/md5 rlm_eap: processing type md5 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 2 modcall: group authenticate returns reject for request 2 auth: Failed to validate the user. Login incorrect: [gab] (from client mind-intern port 32 cli 00-E0-29-38-72-DB) Delaying request 2 for 1 seconds Finished request 2 Going to the next request Cleaning up request 0 ID 37 with timestamp 43d5f546 Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 39 to 192.168.1.200:1057 EAP-Message = 0x04430004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 38 with timestamp 43d5f54b Cleaning up request 2 ID 39 with timestamp 43d5f54b Nothing to do. Sleeping until we see a request. The user gab in the ldap database is : dn: uid=gab,ou=users,ou=radius,dc=fr structuralObjectClass: inetOrgPerson entryUUID: a4ff72d0-2078-102a-99d1-fb3e3efc1b6e creatorsName: cn=admin,ou=radius,dc=fr createTimestamp: 20060123162543Z radiusFilterId: "Enterasys:version=1:policy=Enterprise User" uid: gab description: 802.1x user objectClass: top objectClass: radiusprofile objectClass: inetOrgPerson sn: gab cn: gab userPassword:: e01ENX1tbUdDU0xaTnRpMFZzd0NnZXdCWUN3PT0= entryCSN: 20060124083844Z#000001#00#000000 modifiersName: cn=admin,ou=radius,dc=fr modifyTimestamp: 20060124083844Z The radius.conf file for the authorize and authenticate section : authorize { ldap eap } authenticate { Auth-Type LDAP { ldap } eap } I'm getting lost in all this. Do you have any clues to resolve this ? Thanks in advance. Regards, -- M. Robert Wakim Mind Technologies 24 rue Victor Hugo 94220 Charenton-Le-Pont FRANCE tel : +33 (0)1 41 79 09 40 Fax : +33 (0)1 43 68 80 32 Email : rwakim@mind-techno.fr web : http://www.mind-techno.fr