Hello, I can authenticate ldap users using the NTRadPing tool without a problem. But I cant do it through an Access Point. Can you help me? I have the AP(D-Link 2100 AP+) configure to WPA-EAP, Cipher Type=Auto. I list the radius config and debug. radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 172.22.0.21 { ipaddr = 172.22.0.21 require_message_authenticator = no secret = "si" shortname = "xxxxx" nastype = "other" } client AP1-E1 { ipaddr = 192.168.70.70 require_message_authenticator = no secret = "si" shortname = "AP1-E1" nastype = "other" } radiusd: #### Loading Virtual Servers #### server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/raddb/certs/server.pem" certificate_file = "/etc/raddb/certs/server.pem" CA_file = "/etc/raddb/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/raddb/certs/dh" random_file = "/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/raddb/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "control" listen { socket = "/var/run/radiusd/radiusd.sock" } } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.70.70 port 1038, id=0, length=201 Message-Authenticator = 0x0bad8dc9bc9d09a88d777055e87bc06f Service-Type = Framed-User User-Name = "ldapuser" Framed-MTU = 1488 Called-Station-Id = "00-22-B0-69-74-74:RadiusServer" Calling-Station-Id = "00-1C-BF-63-43-7F" NAS-Identifier = "D-Link Access Point" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0200000c0139303230313535 NAS-IP-Address = 192.168.70.70 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ldapuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 12 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop [ldap] performing user authorization for ldapuser [ldap] expand: %{Stripped-User-Name} -> [ldap] expand: %{User-Name} -> ldapuser [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=ldapuser) [ldap] expand: dc=test,dc=test,dc=pt -> dc=test,dc=test,dc=pt rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to xxx.xxx.xxx.xxx:389, authentication 0 rlm_ldap: bind as uid=borat,dc=test,dc=test,dc=pt/ldappassword to xxx.xxx.xxx.xxx:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=test,dc=test,dc=pt, with filter (uid=ldapuser) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user ldapuser authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.70.70 port 1038 EAP-Message = 0x010100061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1f5a0c851f5b15f67ae48d03f8beffe6 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.70.70 port 1038, id=1, length=490 Message-Authenticator = 0xba2e0b898f91a1e37da464dd4a07b311 Service-Type = Framed-User User-Name = "ldapuser" Framed-MTU = 1488 State = 0x1f5a0c851f5b15f67ae48d03f8beffe6 Called-Station-Id = "00-22-B0-69-74-74:RadiusServer" Calling-Station-Id = "00-1C-BF-63-43-7F" NAS-Identifier = "D-Link Access Point" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0201011919800000010f160301010a0100010603014b69b17864a990f749baa2f53df13aca 45cbccacb1f5bc685e3635514f1e42cb00003800390038003500880087008400160013000a00 330032002f009a00990096004500440041000500040015001200090014001100080006000302 010000a4002300a0d01907820de47ddfa68661ec44d31e5dd8dacaafdad2c82305e227265d28 f850f8a524da4fe4c3b7c860c7de1c52e36def98c4cfb43292159ec293311df317029fc16077 541d9238068a112f6e77a2935fa16efacb85cf609cbfff1577c0d2c9e859cee24b718b747fc9 25802b1e680e86d03e864c6b551b3108afeab659710248cb35aa EAP-Message = 0x8575d2b42e895e1ec907d7e69d9e7386b69232cfa63df6d12d7da003 NAS-IP-Address = 192.168.70.70 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ldapuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 271 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 010a], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0030], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 085e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange [peap] TLS_accept: SSLv3 write key exchange A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 1 to 192.168.70.70 port 1038 EAP-Message = 0x0102040019c000000ab316030100300200002c03014b69affea71157c286b09b1dcb48c1f8 c7c3c073d302d7cc8d002c5b4f42e2be00003901000400230000160301085e0b00085a000857 0003a6308203a23082028aa003020102020101300d06092a864886f70d010104050030819331 0b3009060355040613024652310f300d06035504081306526164697573311230100603550407 1309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e 06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406035504 03131d4578616d706c6520436572746966696361746520417574 EAP-Message = 0x686f72697479301e170d3130303230333134343231395a170d313130323033313434323139 5a307c310b3009060355040613024652310f300d060355040813065261646975733115301306 0355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c652053 65727665722043657274696669636174653120301e06092a864886f70d010901161161646d69 6e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f0030 82010a0282010100b86c5396cfd7e7e922dbb26df4f4b69f25d3714a819fd36762ad32dc140e 303d5ba97e0db2e28046c54d3019a5e2759ad37694fbc08b03d2 EAP-Message = 0xed836feeac8a599b268410d77e15160bd5cab44dc763c97898b8bffeba36ae5c14913bf44c ed0427f5ee12f2232958d3f2b70a3041c794dd24091ffe85e8f8d4bbb7a787a301a8c1dc902c c95b1dc810e7539a391366deca63ce30c51a889717b865961d1aef3dd308b12431bc8b401d24 7c8a97e7c968ee6a9652809bcc95cbdab84d1a3fe9968916f7a0115448827b960af7203527b1 7990519d26ec1cd7a3fa35dee8ddb488a917d27790afc11347f393a272f8a456106a08a3b28f 7007e69fafa5a61a693ac30203010001a317301530130603551d25040c300a06082b06010505 070301300d06092a864886f70d0101040500038201010094945d EAP-Message = 0x22948e117c5f66d8b5d23a05004dc7141b85059576c06616919c5357136e434b2b1ff34e6e bcc5960d22fff1cfe0456c531603e238de97f9160d792ef10b748ce0b49c01625e24a712ce5f 0a2fb284117bbd355bd598b566d07cfe45d21670d5344de9fde5e581862121fa80c957cb6000 fa418d958d3b09bda9e05bfa5b0806ea0decb18a2d566906224f3cd04e4fcdacbbeaa8772cba 4b3fb165c64a66e3886d006700cd65d0d943f386be08582a020d1f070a9e625e6824500a2810 cda4f3ef919f2495b158a67c76a71196c404b794ee6d3cfc9d6c878259d3e6afc5daa28a0e4d 6e8ab1ff8a6cebb2397215952dfd4253ea689454bd4294fd2633 EAP-Message = 0x0004ab308204a73082038fa0 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1f5a0c851e5815f67ae48d03f8beffe6 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.70.70 port 1038, id=9, length=303 Message-Authenticator = 0x40181150ae53bc834616acde8bded5ce Service-Type = Framed-User User-Name = "ldapuser" Framed-MTU = 1488 State = 0x1f5a0c85175315f67ae48d03f8beffe6 Called-Station-Id = "00-22-B0-69-74-74:RadiusServer" Calling-Station-Id = "00-1C-BF-63-43-7F" NAS-Identifier = "D-Link Access Point" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x02090060190017030100203740cd6052be3de4a2dae33ed1e4699866af641dee6261f14e94 93e21b49db0217030100305406714a1fee8d73edfa87c60a0046641329975a279ecbc1b2ee7d ec5e9d60b9bc61efd8b9e8e5304a341f7eee16e533 NAS-IP-Address = 192.168.70.70 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ldapuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 9 length 96 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Had sent TLV failure. User was rejected earlier in this session. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> ldapuser attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 9 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 9 Sending Access-Reject of id 9 to 192.168.70.70 port 1038 EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.4 seconds. I did cut some debug info, in order to not exceed the max message limit of 100K. I think the problem is here: [eap] processing type md5 rlm_eap_md5: Cleartext-Password is required for EAP-MD5 authentication but in eap.conf is: eap{ default_eap_type = peap Peap{ default_eap_type = mschapv2 } } Sorry Im not familiar enough with wifi to understand what wrong.