Here's the full output from 'radiusd -X': rad_recv: Access-Request packet from host 127.0.0.1 port 46518, id=0, length=130 User-Name = "USERNAME" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0200001001656475726f616d74657374 Message-Authenticator = 0x19af91fa38ff062679ec1d03996186f1 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "USERNAME", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 16 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 0 to 127.0.0.1 port 46518 EAP-Message = 0x010100160410e3c3e67208c265aca07beb7e7865d463 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd51fc6e5d51ec2fc226b361c74f28d1a Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 46518, id=1, length=138 User-Name = "USERNAME" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020100060319 State = 0xd51fc6e5d51ec2fc226b361c74f28d1a Message-Authenticator = 0xd31570627564c5a11fb8b9203e310ce1 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "USERNAME", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 1 to 127.0.0.1 port 46518 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd51fc6e5d41ddffc226b361c74f28d1a Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 46518, id=2, length=254 User-Name = "USERNAME" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0202007a198000000070160301006b0100006703014e96960ad361f23dc096d265af71ceffd445b4d9ae042b0c7c42b6b3846d4bee00003a00390038008800870035008400160013000a00330032009a009900450044002f00960041000500040015001200090014001100080006000300ff0100000400230000 State = 0xd51fc6e5d41ddffc226b361c74f28d1a Message-Authenticator = 0x7b23ec62a31e205a2a7ec5c7f9740229 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "USERNAME", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 122 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 112 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 006b], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0035], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 0824], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange [peap] TLS_accept: SSLv3 write key exchange A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 2 to 127.0.0.1 port 46518 EAP-Message = 0x0103040019c000000a7e16030100350200003103014e96960af25becfff944c864c255fad5a356b511aa59ced9de668370811edd2c000039000009ff010001000023000016030108240b00082000081d00038d3082038930820271a003020102020103300d06092a864886f70d0101050500308188310b300906035504061302554b311730150603550408130e556e69746564204b696e67646f6d311830160603550407130f57657374206f6620456e676c616e64310c300a060355040a13035557453121301f06092a864886f70d01090116126974732d756e6978407577652e61632e756b311530130603550403130c5557452c2042726973746f6c EAP-Message = 0x301e170d3131303932373132313430385a170d3132303932363132313430385a306e310b300906035504061302554b311730150603550408130e556e69746564204b696e67646f6d310c300a060355040a1303555745311530130603550403130c5557452c2042726973746f6c3121301f06092a864886f70d01090116126974732d756e6978407577652e61632e756b30820122300d06092a864886f70d01010105000382010f003082010a0282010100abf8e76947fb730e676e7fe3abb28d7841bcf4766c2075580efe855329fa8c5be97b8853ed81a68a4511d890c0380cbb3fa419cccd2acd229841419fa9f08150accb9626c1ce469762a6b266 EAP-Message = 0xc50a3e8ce93a479982c31431a437fea310ce65ee129f121f47f97cd245d3144fdd154cb91a31ec2939b97a8147246d0553894b2da551783a081b7feb8eef899252668f49b0c63724ee2b6637a0494941c83399085a1408795d835ef1842b7b02b12029a785fa5cd2c0759287c39a14029cb5a2b261432c40267cecc5486ae333bf8d30eaaeddb87cffdf147429a54895f952468d51f32f56add55bed711dd29afd5d74b82952085a5c01a00aa196c2435d7e21910203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010505000382010100c5c2bf0108071d7d83a9a6fa3e0adb71ccf140eb3a3270 EAP-Message = 0x8b7c50da65d38a5b8d8faf512930b9f6a37c20fd24e12f83045d53774f324ca59f7dbf38c91a5db93d3daa9317bcf59ce91ee6a358fea314ebc167315ca81e6e276a28653dd2c4040777244a743040abec0b68267e6f3d5cbc09b69f9f6907800780171915d3c4e29cf5bd83e9b880871f6331219ed7b902d4831f29049a734ec7920582dc99c0d9fe2a650e563c5f0c4e50c36148e7e8b001530c461da58ac7c21920db5e8cfa11ccc807e807a2b754cf3c3323b5181e0cdc4e58b88d69dca1cd67f84cc2034c777965ff6e59b9ed1ab408d1f8b00f3b208fcc33047e3a46605b40fe70efc10490d500048a308204863082036ea003020102020900ea EAP-Message = 0x76843bb94e48ff300d06092a Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd51fc6e5d71cdffc226b361c74f28d1a Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 46518, id=3, length=138 User-Name = "USERNAME" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020300061900 State = 0xd51fc6e5d71cdffc226b361c74f28d1a Message-Authenticator = 0xeac8d730967a7a82475dc0a22d887533 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "USERNAME", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 3 to 127.0.0.1 port 46518 EAP-Message = 0x010403fc1940864886f70d0101050500308188310b300906035504061302554b311730150603550408130e556e69746564204b696e67646f6d311830160603550407130f57657374206f6620456e676c616e64310c300a060355040a13035557453121301f06092a864886f70d01090116126974732d756e6978407577652e61632e756b311530130603550403130c5557452c2042726973746f6c301e170d3131303932373132303134395a170d3132303932363132303134395a308188310b300906035504061302554b311730150603550408130e556e69746564204b696e67646f6d311830160603550407130f57657374206f6620456e676c616e EAP-Message = 0x64310c300a060355040a13035557453121301f06092a864886f70d01090116126974732d756e6978407577652e61632e756b311530130603550403130c5557452c2042726973746f6c30820122300d06092a864886f70d01010105000382010f003082010a0282010100eca974c9469bb2b9038c9cec00bb4710b72a5158ac68aced1f90f5af352d65068848d7187b033dbc40dc216ae01b1c0f9b37a26342cfbb1d2a544f263a1e79b3934c9895c10c797cb41b67ae18ca2ae955f2ff442f477cf9084d38b43b16a12bf18401ab2cd3d28bc5528f77a231339e20ef7f5cb0b9cec2eeecc41ea475698418883a9d55011ac7959606e44437163e650c2d EAP-Message = 0x15038f9e7d0de2a28657871a47b516daf92b5920988ae0d0eda22f45a41c6b51c94e66b2d1c7c8388d35849f20ca99668862b2de96c0020e91e20b1049c122eafa7de46af7b3ff79ef88a0c4c81e2ab0aabd2861fd271b056a9a3445d83a3699e7dd5a61bcbf9f1cf5676179650203010001a381f03081ed301d0603551d0e04160414832a671a41ae7fd38f7d2a867d3caf4258a634133081bd0603551d230481b53081b28014832a671a41ae7fd38f7d2a867d3caf4258a63413a1818ea4818b308188310b300906035504061302554b311730150603550408130e556e69746564204b696e67646f6d311830160603550407130f57657374206f6620 EAP-Message = 0x456e676c616e64310c300a060355040a13035557453121301f06092a864886f70d01090116126974732d756e6978407577652e61632e756b311530130603550403130c5557452c2042726973746f6c820900ea76843bb94e48ff300c0603551d13040530030101ff300d06092a864886f70d010105050003820101007748eea59b2bd6a4d042a17c13f6a67f94d7de57b9df69dd50473ef15d71362d7394558cfc9b54fc48572f4cb62d3d88802d0be516d230730c2e4e6aceeaebb0098bfd2851141f3d366ece305dfee9eb5f3599e4f60f87925c294e214f576818be4db619a976343323c56ac9b4b32eef0c1c62749cba3d6bb0c36b1105ea4e570a EAP-Message = 0x9236e20dee7f5d17 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd51fc6e5d61bdffc226b361c74f28d1a Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 46518, id=4, length=138 User-Name = "USERNAME" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020400061900 State = 0xd51fc6e5d61bdffc226b361c74f28d1a Message-Authenticator = 0x462ba6d707d88db45403966796b77aae +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "USERNAME", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 4 to 127.0.0.1 port 46518 EAP-Message = 0x01050298190014f24598cc95e56c2df962cf71babff85382b7162f2583c6d0a28ddf9c25b2092388203879c714a8a11b81be2c6634e462905275ad295e874bbd16614231809d913af8d79c9a3a181ae25754adec324ac9caa93299ffa779bea8ba68d03772b5d350b07012458bcc0c565c46d7d651b8c47c16bbd34842160301020d0c0002090080d11460db9abf91f947d88e633cd4e9801540e222c95cce59f1dfbcafa31699ef9e0a5cc17142ca4cf26add8a3125af5b3e671f86dcd93acd5c90610362a99f81da008eb1af2830c5019f42bb6fc709000481512754b92235c8b9b950a31a8a66b8c4212ee376d79271ed2c5c611dd8629961e904dc EAP-Message = 0xa746dfc00b07d867f1cf2300010200809acc0ffd2632f9bd6395fc75fcce6532c87fb8a72104774d5a30e09aee6647ccd17c9b1a8d8e7fb1ee681202b869040b90a5b92f743483956a7c0ab1d0e6793a9fe24b1e412766db333b2955144d7a37f4d7387421ee4edf206d9fce49bb1e855270d0c8e18f9ecae79f836aff647120715bc033b723b3b66c4ec7e346cba30701007246ace4b95fb4e321e49c08e373f86ebf6aee6921fb0bd7b6da516f55614b006f69a275899c538cc150d44aab98d20fd628a62b83a31c269ac46970a4f83a2c1465027b5e653392f3ed802ba74e361a6687b4664f743b5d8fcb8554987db224d147519c09f5eabca4051b EAP-Message = 0x8337529fd094e68c5c78268fd43410af0f1f9f416c06dbc5e243057665b49f117bf74812d67c7c6dbe45c32dc490d2fd652d0f37fdd788ae15950dfb530f4ce72464ba58923a0653c13df28248b3bf89e05853950f56c1008a31d2fe679c91066597c8c595763fa7a3fbd646186bfe548aab39f9376b5421b12964d4f92c85ebed27359eb43db6bdc7e68c6e95452a0f876700143416030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd51fc6e5d11adffc226b361c74f28d1a Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 46518, id=5, length=340 User-Name = "USERNAME" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020500d01980000000c616030100861000008200805acce1c3b4c2a661c04cabe6fc26f48d4ed47fa45c3df4cb1c7c198f7c9b28d95b7d585f79b7cd9c26c7af3f3c7ba9e83b0a37080d3e4e4ff3546172818cc481b603ce2b263fa1498313f5de4b7a44bd8cbea28c311e1e00bd247f1b96ae5484c793807e128ab22ea20af058d351b40025e4325585af1afa450135fc530c23c01403010001011603010030524764251831c4f454d5f934ca8f4cbcfd9a1989b40a91517a7abd51792d649083fadb08e6f89c7d3af7c2c0b15f7445 State = 0xd51fc6e5d11adffc226b361c74f28d1a Message-Authenticator = 0xadda94034436b0ff221189c2f4be6eb4 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "USERNAME", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 208 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 198 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 Handshake [length 00aa]??? [peap] TLS_accept: SSLv3 write session ticket A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 5 to 127.0.0.1 port 46518 EAP-Message = 0x010600f0190016030100aa040000a60000000000a0cc8d70c52047f8b3e2dd5eefa0c6b68d481713110eb10c139a032c9ccd16342bf0bacdba48a21cf380436517e2bf9f38cc9fc56b5bc36ebb97838a7973a5b544716c3e17ea3f50d274da7a2b9fa370521419dfe016961a232f312861f6cfedf1853882db6d9da6d47f95b823935675a40a37f8c3a96a5a41abbd79cf0bb245769988ed24af435f6a1574077885f47c7dac0152caa18a44b3924694afbba260fd1403010001011603010030979402d9cc8285d5b3b688a55259b7d425d77f8cd866491751234dfc0f00fbf507399d0ed2d17862747152c72bdeb1a5 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd51fc6e5d019dffc226b361c74f28d1a Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 46518, id=6, length=138 User-Name = "USERNAME" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020600061900 State = 0xd51fc6e5d019dffc226b361c74f28d1a Message-Authenticator = 0xa8d2d0aa1f4e696f304941c4d6aea9c5 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "USERNAME", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 6 to 127.0.0.1 port 46518 EAP-Message = 0x0107002b19001703010020fde5e4f975c631461bf812654c521bf751cbd50328326c22c4314b1dc22b5981 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd51fc6e5d318dffc226b361c74f28d1a Finished request 6. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 46518, id=7, length=228 User-Name = "USERNAME" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020700601900170301002082ca809e8b71e1737e6f283824f1fc57f516b406a52edcde740635aff970657a1703010030db98915cf59fb0fbd86b01c9c93f2f071441050e4cb24444dc1750d86c0048ad2630960eee387a8b9e917906d101a5e5 State = 0xd51fc6e5d318dffc226b361c74f28d1a Message-Authenticator = 0x9fd3dfdc80fadb9dae243e30fd904c67 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "USERNAME", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 96 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Identity - USERNAME [peap] Got tunneled request EAP-Message = 0x0207001001656475726f616d74657374 server { PEAP: Got tunneled identity of USERNAME PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to USERNAME Sending tunneled request EAP-Message = 0x0207001001656475726f616d74657374 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "USERNAME" server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "USERNAME", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 7 length 16 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010800251a0108002010753b806a5a6af658f2d316d30c12ecc1656475726f616d74657374 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf52c5994f52443b388bfb7acfc0b1196 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010800251a0108002010753b806a5a6af658f2d316d30c12ecc1656475726f616d74657374 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf52c5994f52443b388bfb7acfc0b1196 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 7 to 127.0.0.1 port 46518 EAP-Message = 0x0108004b19001703010040bebe64dc1329ef2740f8e42c59e1120733b64c36c16a9475d047b551a74dfc12c69cbb404408eab8f872620679d76339d572e88b33e38a385546ae0b37847a85 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd51fc6e5d217dffc226b361c74f28d1a Finished request 7. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 46518, id=8, length=276 User-Name = "USERNAME" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0208009019001703010020ee50e7ff63126c0c1bd3205c1b5329263a41d41fe547b9c71e7fff5021f0990217030100608d63c97a880115c98a6c4912eef2cc8e592bf71ef659f8f13327695b6d066a45c194cb99e0e351e1533c5d6a4b4a80a9137ea22d7fc5dda4b8afbe2e08da5246c1edaea83f2d550a0ed20eab76d634f48076a74b99e3e38db6647e67adbc4390 State = 0xd51fc6e5d217dffc226b361c74f28d1a Message-Authenticator = 0xe7ced67503caf2dc1389e6b832ec8252 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "USERNAME", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 144 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020800461a020800413140c4b30b46c9ec6da33aad308ce5eb96000000000000000027fce3051abca58436d4737a54e109bf7485f073cf95b00900656475726f616d74657374 server { PEAP: Setting User-Name to USERNAME Sending tunneled request EAP-Message = 0x020800461a020800413140c4b30b46c9ec6da33aad308ce5eb96000000000000000027fce3051abca58436d4737a54e109bf7485f073cf95b00900656475726f616d74657374 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "USERNAME" State = 0xf52c5994f52443b388bfb7acfc0b1196 server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "USERNAME", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 8 length 70 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for USERNAME with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\010E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\010E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 8 to 127.0.0.1 port 46518 EAP-Message = 0x0109002b190017030100208c4e2f1cf1bae28345164884c2d88d6076154baf708a8d14257705571de8bdc2 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd51fc6e5dd16dffc226b361c74f28d1a Finished request 8. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 46518, id=9, length=212 User-Name = "USERNAME" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0209005019001703010020d9cfaefa5e285c9f5f3f69feb289acf8d93c592efca5a111d9de338781b85fb917030100201d132513a9b552a9e5e7f85cb6c0158ad889b9367619656d3dd80a869ef4cd11 State = 0xd51fc6e5dd16dffc226b361c74f28d1a Message-Authenticator = 0x05a869fff5928f065bcf99af65e0681f +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "USERNAME", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 9 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for "reject" or "fail". Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> USERNAME attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 9 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 9 Sending Access-Reject of id 9 to 127.0.0.1 port 46518 EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. Cleaning up request 0 ID 0 with timestamp +111 Cleaning up request 1 ID 1 with timestamp +111 Cleaning up request 2 ID 2 with timestamp +111 Cleaning up request 3 ID 3 with timestamp +111 Cleaning up request 4 ID 4 with timestamp +111 Cleaning up request 5 ID 5 with timestamp +111 Cleaning up request 6 ID 6 with timestamp +111 Cleaning up request 7 ID 7 with timestamp +111 Cleaning up request 8 ID 8 with timestamp +111 Waking up in 1.0 seconds. Cleaning up request 9 ID 9 with timestamp +111 Ready to process requests. From: freeradius-users-bounces+martin.ubank=uwe.ac.uk@lists.freeradius.org [mailto:freeradius-users-bounces+martin.ubank=uwe.ac.uk@lists.freeradius.org] On Behalf Of Arran Cudbard-Bell Sent: 14 October 2011 16:04 To: FreeRadius users mailing list Subject: Re: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP I can see from the 'radiusd -X' output that FreeRadius is not using MS-CHAP correctly: <snip> [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for USERNAME with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject <snip> You just snipped away the useful information in the log... Please include the full debug log for the EAP round where this message is produced. Arran Cudbard-Bell a.cudbardb@freeradius.org<mailto:a.cudbardb@freeradius.org> Betelwiki, Betelwiki, Betelwiki.... http://wiki.freeradius.org/ !