Hi Experts, I have a 'funny' problem with my freeradius 3.0.4 and our Aruba controller. I am testing a freeradius with 802.1x (EAP-MSCHAPv2: WPA2-Ent+AES+PEAP) configuration that works pretty well when both, radius & Aruba, are in our internal network. So works fine with Mac,Win7,Android,iphone, etc The problem came when we moved the Machine to DMZ (Pfsense fw). Lots of small problems (dns's, hosts,etc) raised and were solved. I used the eapol_test successfully on an internal linux that connects successfully to de radius in DMZ, so I went ahead. But when we do the same Mac,Win7,Android,etc WiFIi connection tests with the radius in DMZ, the authentication fails (see radius -X log below). To test if it was a Firewall issues, UDP/TCP ports are fully open between radius(DMZ) & Aruba(internal), in both ways. We opened dmz radius to the internal DNS, I used a Firewall catch all rule to get any ipv4+6 that goes missing by the Firewall rules, but nothing shows up. I tried to Wireshark the Wifi connection from the client win7 without success. Well, I hope someone else had a similar problem and could share the solution, or any clue. Logs of the failing connection ( Win7 -> Aruba ->radius DMZ) , maybe you can see something strange: 10.10.10.10: Aruba 84.84.84.84: Radius at DMZ Received Access-Request Id 111 from 10.10.10.10:32866 to 84.84.84.84:1812 length 205 User-Name = 'test@acme.com' NAS-IP-Address = 10.10.10.10 NAS-Port = 0 NAS-Identifier = '10.10.10.10' NAS-Port-Type = Wireless-802.11 Calling-Station-Id = 'A4C494Exxxxx' Called-Station-Id = '000B866xxxxx' Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x0xx400xxxxxx146xxxxxxxxxxxc673 Aruba-Essid-Name = 'TEST_SSID' Aruba-Location-Id = 'AP1' Aruba-AP-Group = 'default' Message-Authenticator = 0xbxxx268xxxxxxxxxxxxc10f08dae88 (0) Received Access-Request packet from host 10.10.10.10 port 32866, id=111, length=205 (0) User-Name = 'test@acme.com' (0) NAS-IP-Address = 10.10.10.10 (0) NAS-Port = 0 (0) NAS-Identifier = '10.10.10.10' (0) NAS-Port-Type = Wireless-802.11 (0) Calling-Station-Id = 'A4C494XXXXXX' (0) Called-Station-Id = ''000B86xxxxxx' (0) Service-Type = Login-User (0) Framed-MTU = 1100 (0) EAP-Message = 0x02040019017465xxxxxxxxxxxx4063656c6c732e6573 (0) Aruba-Essid-Name = 'TEST_SSID' (0) Aruba-Location-Id = 'AP1' (0) Aruba-AP-Group = 'default' (0) Message-Authenticator = 0xb268fe2779551dxxxxxxxxxxxx08dae88 (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) filter_username filter_username { (0) if (!&User-Name) (0) if (!&User-Name) -> FALSE (0) if (&User-Name =~ / /) (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@.*@/ ) (0) if (&User-Name =~ /@.*@/ ) -> FALSE (0) if (&User-Name =~ /\\.\\./ ) (0) if (&User-Name =~ /\\.\\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\\.$/) (0) if (&User-Name =~ /\\.$/) -> FALSE (0) if (&User-Name =~ /@\\./) (0) if (&User-Name =~ /@\\./) -> FALSE (0) } # filter_username filter_username = notfound (0) [preprocess] = ok (0) auth_log : EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addres s}}/auth-detail-%Y%m%d (0) auth_log : --> /var/log/radius/radacct/10.10.10.10/auth-detail-20170929 (0) auth_log : /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addres s}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.10.10.10/auth-detail-20170929 (0) auth_log : EXPAND %t (0) auth_log : --> Fri Sep 29 16:42:40 2017 (0) [auth_log] = ok (0) [mschap] = noop (0) suffix : Checking for suffix after "@" (0) suffix : Looking up realm "acme.com" for User-Name = "test@acme.com" (0) suffix : Found realm "acme.com" (0) suffix : Adding Realm = "acme.com" (0) suffix : Authentication realm is LOCAL (0) [suffix] = ok (0) eap : Peer sent code Response (2) ID 4 length 25 (0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = EAP (0) # Executing group from file /etc/raddb/sites-enabled/default (0) authenticate { (0) eap : Peer sent method Identity (1) (0) eap : Calling eap_peap to process EAP data (0) eap_peap : Flushing SSL sessions (of #0) (0) eap_peap : Initiate (0) eap_peap : Start returned 1 (0) eap : New EAP session, adding 'State' attribute to reply 0x7317e1da7312f877 (0) [eap] = handled (0) } # authenticate = handled (0) Sending Access-Challenge packet to host 10.10.10.10 port 32866, id=111, length=0 (0) EAP-Message = 0x010500061920 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x7317e1da7312f877fca7b6e2bbfa846d Sending Access-Challenge Id 111 from 84.84.84.84:1812 to 10.10.10.10:32866 EAP-Message = 0x010500061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7317e1da7312f877fca7b6e2bbfa846d (0) Finished request Waking up in 0.3 seconds. Waking up in 6.6 seconds. Received Access-Request Id 111 from 10.10.10.10:32866 to 84.84.84.84:1812 length 205 Sending Access-Challenge Id 111 from 84.84.84.84:1812 to 10.10.10.10:32866 Waking up in 999993.0 seconds. Received Access-Request Id 111 from 10.10.10.10:32866 to 84.84.84.84:1812 length 205 Sending Access-Challenge Id 111 from 84.84.84.84:1812 to 10.10.10.10:32866 Waking up in 1999986.0 seconds. Received Access-Request Id 111 from 10.10.10.10:32866 to 84.84.84.84:1812 length 205 Sending Access-Challenge Id 111 from 84.84.84.84:1812 to 10.10.10.10:32866 Waking up in 3999977.0 seconds.