Hello, Below is the full debug output of freeradius 3.2.7. The final Access-Accept is this: authentik-freeradius-1 | (15) Sent Access-Accept Id 16 from 10.1.2.1:1812 to 10.0.0.5:46092 length 61 authentik-freeradius-1 | (15) Framed-MTU += 994 authentik-freeradius-1 | (15) Tunnel-Type = VLAN authentik-freeradius-1 | (15) Tunnel-Medium-Type = IEEE-802 authentik-freeradius-1 | (15) Tunnel-Private-Group-Id = "110" I need to add MPPE keys in the reply packet for the WPA NAS to have an encrypted connection to the mobile client. That is what the vendor says their WPA NAS requires for wireless clients. The documentation I found concerning to MPPE keys are related to MS-CHAP. What keys/values can I use to add MPPE ? I am doing EAP-TTLS+PAP. The final Access-Accept should look like this: authentik-freeradius-1 | (15) Sent Access-Accept Id 16 from 10.1.2.1:1812 to 10.0.0.5:46092 length YYY authentik-freeradius-1 | (15) MS-MPPE-Recv-Key = 0xXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX authentik-freeradius-1 | (15) MS-MPPE-Send-Key = 0xXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX authentik-freeradius-1 | (15) EAP-Message = 0xYYYYYYYYYYY authentik-freeradius-1 | (15) Framed-MTU += 994 authentik-freeradius-1 | (15) Tunnel-Type = VLAN authentik-freeradius-1 | (15) Tunnel-Medium-Type = IEEE-802 authentik-freeradius-1 | (15) Tunnel-Private-Group-Id = "110" The full debug output: authentik-freeradius-1 | (8) Received Access-Request Id 9 from 10.0.0.5:46092 to 10.1.2.1:1812 length 273 authentik-freeradius-1 | (8) User-Name = "thatsme" authentik-freeradius-1 | (8) NAS-IP-Address = 10.0.0.5 authentik-freeradius-1 | (8) NAS-Port-Id = "00000001" authentik-freeradius-1 | (8) NAS-Identifier = "TP-Link:263626d2c501" authentik-freeradius-1 | (8) Called-Station-Id = "26-36-26-D2-C5-01:Relevant" authentik-freeradius-1 | (8) NAS-Port-Type = Wireless-802.11 authentik-freeradius-1 | (8) Event-Timestamp = "Jun 30 2025 13:12:02 UTC" authentik-freeradius-1 | (8) Connect-Info = "CONNECT 54Mbps 802.11a" authentik-freeradius-1 | (8) Acct-Session-Id = "263626d2c501-9F3FBFEE3494B7C3" authentik-freeradius-1 | (8) Acct-Multi-Session-Id = "1B9880FB001579F3" authentik-freeradius-1 | (8) WLAN-Pairwise-Cipher = 1027076 authentik-freeradius-1 | (8) Framed-MTU = 1400 authentik-freeradius-1 | (8) EAP-Message = 0x0278000c0174686174736d65 authentik-freeradius-1 | (8) Message-Authenticator = 0xfe647dc553addf954631112df816fd9f authentik-freeradius-1 | (8) # Executing section authorize from file /opt/etc/raddb/sites-enabled/default authentik-freeradius-1 | (8) authorize { authentik-freeradius-1 | (8) if (&User-Name) { authentik-freeradius-1 | (8) if (&User-Name) -> TRUE authentik-freeradius-1 | (8) if (&User-Name) { authentik-freeradius-1 | (8) if (&User-Name =~ / /) { authentik-freeradius-1 | (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { authentik-freeradius-1 | (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE authentik-freeradius-1 | (8) if (&User-Name =~ /@\./) -> FALSE authentik-freeradius-1 | (8) } # if (&User-Name) = notfound authentik-freeradius-1 | (8) } # policy filter_username = notfound authentik-freeradius-1 | (8) [digest] = noop authentik-freeradius-1 | (8) suffix: Checking for suffix after "@" authentik-freeradius-1 | (8) suffix: No '@' in User-Name = "thatsme", looking up realm NULL authentik-freeradius-1 | (8) if (User-Name && !User-Password) { authentik-freeradius-1 | (8) if (User-Name && !User-Password) -> TRUE authentik-freeradius-1 | (8) if (User-Name && !User-Password) { authentik-freeradius-1 | (8) update request { authentik-freeradius-1 | (8) &User-Password := &User-Name -> 'thatsme' authentik-freeradius-1 | (8) } # update request = noop authentik-freeradius-1 | (8) } # if (User-Name && !User-Password) = noop authentik-freeradius-1 | (8) eap: Peer sent EAP Response (code 2) ID 120 length 12 authentik-freeradius-1 | (8) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize authentik-freeradius-1 | (8) [eap] = ok authentik-freeradius-1 | (8) } # authorize = ok authentik-freeradius-1 | (8) Found Auth-Type = eap authentik-freeradius-1 | (8) # Executing group from file /opt/etc/raddb/sites-enabled/default authentik-freeradius-1 | (8) authenticate { authentik-freeradius-1 | (8) eap: Peer sent packet with method EAP Identity (1) authentik-freeradius-1 | (8) eap: Using default_eap_type = TTLS authentik-freeradius-1 | (8) eap: Calling submodule eap_ttls to process data authentik-freeradius-1 | (8) eap_ttls: (TLS) TTLS -Initiating new session authentik-freeradius-1 | (8) eap: Sending EAP Request (code 1) ID 121 length 6 authentik-freeradius-1 | (8) eap: EAP session adding &reply:State = 0x13652bfd131c3ee0 authentik-freeradius-1 | (8) [eap] = handled authentik-freeradius-1 | (8) } # authenticate = handled authentik-freeradius-1 | (8) # Executing group from file /opt/etc/raddb/sites-enabled/default authentik-freeradius-1 | (8) Challenge { ... } # empty sub-section is ignored authentik-freeradius-1 | (8) Framed-MTU = 994 authentik-freeradius-1 | (8) Sent Access-Challenge Id 9 from 10.1.2.1:1812 to 10.0.0.5:46092 length 64 authentik-freeradius-1 | (8) EAP-Message = 0x017900061520 authentik-freeradius-1 | (8) Message-Authenticator = 0x00000000000000000000000000000000 authentik-freeradius-1 | (8) State = 0x13652bfd131c3ee02cb9291428252449 authentik-freeradius-1 | (8) Finished request authentik-freeradius-1 | Waking up in 4.9 seconds. authentik-freeradius-1 | (9) Received Access-Request Id 10 from 10.0.0.5:46092 to 10.1.2.1:1812 length 416 authentik-freeradius-1 | (9) User-Name = "thatsme" authentik-freeradius-1 | (9) NAS-IP-Address = 10.0.0.5 authentik-freeradius-1 | (9) NAS-Port-Id = "00000001" authentik-freeradius-1 | (9) Event-Timestamp = "Jun 30 2025 13:12:02 UTC" authentik-freeradius-1 | (9) Service-Type = Framed-User authentik-freeradius-1 | (9) NAS-Port = 1 authentik-freeradius-1 | (9) Calling-Station-Id = "1E-04-F0-DE-D7-92" authentik-freeradius-1 | (9) Connect-Info = "CONNECT 54Mbps 802.11a" authentik-freeradius-1 | (9) Acct-Session-Id = "263626d2c501-9F3FBFEE3494B7C3" authentik-freeradius-1 | (9) Acct-Multi-Session-Id = "1B9880FB001579F3" authentik-freeradius-1 | (9) WLAN-Pairwise-Cipher = 1027076 authentik-freeradius-1 | (9) WLAN-Group-Cipher = 1027076 authentik-freeradius-1 | (9) WLAN-AKM-Suite = 1027073 authentik-freeradius-1 | (9) WLAN-Group-Mgmt-Cipher = 1027078 authentik-freeradius-1 | (9) Framed-MTU = 1400 authentik-freeradius-1 | (9) EAP-Message = 0x027900891500160301007e0100007a0303f7cdef6120f26539c5194f2edb74c67cbf671649516edb239c950d2ac1ac293a00001ec02bc02fc02cc030cca9cca8c009c013c00ac014009c009d002f0035000a0100003300170000ff01000100000a00080006001d00170018000b00020100000d00140012040308040401050308050501080606010201 authentik-freeradius-1 | (9) State = 0x13652bfd131c3ee02cb9291428252449 authentik-freeradius-1 | (9) Message-Authenticator = 0x0f5496a242d2e1b94c10cfcd20052d23 authentik-freeradius-1 | (9) Restoring &session-state authentik-freeradius-1 | (9) &session-state:Framed-MTU = 994 authentik-freeradius-1 | (9) # Executing section authorize from file /opt/etc/raddb/sites-enabled/default authentik-freeradius-1 | (9) authorize { authentik-freeradius-1 | (9) policy filter_username { authentik-freeradius-1 | (9) if (&User-Name) { authentik-freeradius-1 | (9) if (&User-Name) -> TRUE authentik-freeradius-1 | (9) if (&User-Name) { authentik-freeradius-1 | (9) if (&User-Name =~ / /) { authentik-freeradius-1 | (9) if (&User-Name =~ / /) -> FALSE authentik-freeradius-1 | (9) if (&User-Name =~ /@[^@]*@/ ) { authentik-freeradius-1 | (9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE authentik-freeradius-1 | (9) if (&User-Name =~ /\.\./ ) { authentik-freeradius-1 | (9) if (&User-Name =~ /\.\./ ) -> FALSE authentik-freeradius-1 | (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { authentik-freeradius-1 | (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE authentik-freeradius-1 | (9) if (&User-Name =~ /\.$/) { authentik-freeradius-1 | (9) if (&User-Name =~ /\.$/) -> FALSE authentik-freeradius-1 | (9) if (&User-Name =~ /@\./) { authentik-freeradius-1 | (9) if (&User-Name =~ /@\./) -> FALSE authentik-freeradius-1 | (9) } # if (&User-Name) = notfound authentik-freeradius-1 | (9) } # policy filter_username = notfound authentik-freeradius-1 | (9) [digest] = noop authentik-freeradius-1 | (9) suffix: Checking for suffix after "@" authentik-freeradius-1 | (9) if (User-Name && !User-Password) { authentik-freeradius-1 | (9) update request { authentik-freeradius-1 | (9) &User-Password := &User-Name -> 'thatsme' authentik-freeradius-1 | (9) } # update request = noop authentik-freeradius-1 | (9) } # if (User-Name && !User-Password) = noop authentik-freeradius-1 | (9) eap: Peer sent EAP Response (code 2) ID 121 length 137 authentik-freeradius-1 | (9) eap: Continuing tunnel setup authentik-freeradius-1 | (9) [eap] = ok authentik-freeradius-1 | (9) } # authorize = ok authentik-freeradius-1 | (9) Found Auth-Type = eap authentik-freeradius-1 | (9) # Executing group from file /opt/etc/raddb/sites-enabled/default authentik-freeradius-1 | (9) authenticate { authentik-freeradius-1 | (9) eap: Removing EAP session with state 0x13652bfd131c3ee0 authentik-freeradius-1 | (9) eap: Previous EAP request found for state 0x13652bfd131c3ee0, released from the list authentik-freeradius-1 | (9) eap: Peer sent packet with method EAP TTLS (21) authentik-freeradius-1 | (9) eap: Calling submodule eap_ttls to process data authentik-freeradius-1 | (9) eap_ttls: Authenticate authentik-freeradius-1 | (9) eap_ttls: (TLS) EAP Got final fragment (131 bytes) total 131 authentik-freeradius-1 | (9) eap_ttls: (TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange authentik-freeradius-1 | (9) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write key exchange authentik-freeradius-1 | (9) eap_ttls: (TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone authentik-freeradius-1 | (9) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write server done authentik-freeradius-1 | (9) eap_ttls: (TLS) TTLS - Server : Need to read more data: SSLv3/TLS write server done authentik-freeradius-1 | (9) eap_ttls: (TLS) TTLS - In Handshake Phase authentik-freeradius-1 | (9) eap: Sending EAP Request (code 1) ID 122 length 1000 authentik-freeradius-1 | (9) eap: EAP session adding &reply:State = 0x13652bfd121f3ee0 authentik-freeradius-1 | (9) Using Post-Auth-Type Challenge authentik-freeradius-1 | (9) # Executing group from file /opt/etc/raddb/sites-enabled/default authentik-freeradius-1 | (10) Received Access-Request Id 11 from 10.0.0.5:46092 to 10.1.2.1:1812 length 285 authentik-freeradius-1 | (10) User-Name = "thatsme" authentik-freeradius-1 | (10) NAS-IP-Address = 10.0.0.5 authentik-freeradius-1 | (10) NAS-Port-Id = "00000001" authentik-freeradius-1 | (10) NAS-Identifier = "TP-Link:263626d2c501" authentik-freeradius-1 | (10) Called-Station-Id = "26-36-26-D2-C5-01:Relevant" authentik-freeradius-1 | (10) NAS-Port-Type = Wireless-802.11 authentik-freeradius-1 | (10) Event-Timestamp = "Jun 30 2025 13:12:02 UTC" authentik-freeradius-1 | (10) Service-Type = Framed-User authentik-freeradius-1 | (10) NAS-Port = 1 authentik-freeradius-1 | (10) Calling-Station-Id = "1E-04-F0-DE-D7-92" authentik-freeradius-1 | (10) Connect-Info = "CONNECT 54Mbps 802.11a" authentik-freeradius-1 | (10) Acct-Session-Id = "263626d2c501-9F3FBFEE3494B7C3" authentik-freeradius-1 | (10) Acct-Multi-Session-Id = "1B9880FB001579F3" authentik-freeradius-1 | (10) WLAN-Pairwise-Cipher = 1027076 authentik-freeradius-1 | (10) WLAN-Group-Cipher = 1027076 authentik-freeradius-1 | (10) WLAN-AKM-Suite = 1027073 authentik-freeradius-1 | (10) WLAN-Group-Mgmt-Cipher = 1027078 authentik-freeradius-1 | (10) Framed-MTU = 1400 authentik-freeradius-1 | (10) EAP-Message = 0x027a00061500 authentik-freeradius-1 | (10) State = 0x13652bfd121f3ee02cb9291428252449 authentik-freeradius-1 | (10) Restoring &session-state authentik-freeradius-1 | (10) &session-state:Framed-MTU = 994 authentik-freeradius-1 | (10) &session-state:TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello" authentik-freeradius-1 | (10) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello" authentik-freeradius-1 | (10) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate" authentik-freeradius-1 | (10) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange" authentik-freeradius-1 | (10) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone" authentik-freeradius-1 | (10) # Executing section authorize from file /opt/etc/raddb/sites-enabled/default authentik-freeradius-1 | (10) authorize { authentik-freeradius-1 | (10) policy filter_username { authentik-freeradius-1 | (10) if (&User-Name) { authentik-freeradius-1 | (10) if (&User-Name) -> TRUE authentik-freeradius-1 | (10) if (&User-Name) { authentik-freeradius-1 | (10) if (&User-Name =~ / /) -> FALSE authentik-freeradius-1 | (10) if (&User-Name =~ /@[^@]*@/ ) { authentik-freeradius-1 | (10) if (&User-Name =~ /@[^@]*@/ ) -> FALSE authentik-freeradius-1 | (10) if (&User-Name =~ /\.\./ ) { authentik-freeradius-1 | (10) if (&User-Name =~ /\.\./ ) -> FALSE authentik-freeradius-1 | (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { authentik-freeradius-1 | (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE authentik-freeradius-1 | (10) if (&User-Name =~ /@\./) { authentik-freeradius-1 | (10) if (&User-Name =~ /@\./) -> FALSE authentik-freeradius-1 | (10) } # if (&User-Name) = notfound authentik-freeradius-1 | (10) } # policy filter_username = notfound authentik-freeradius-1 | (10) [preprocess] = ok authentik-freeradius-1 | (10) [chap] = noop authentik-freeradius-1 | (10) [digest] = noop authentik-freeradius-1 | (10) suffix: Checking for suffix after "@" authentik-freeradius-1 | (10) suffix: No '@' in User-Name = "thatsme", looking up realm NULL authentik-freeradius-1 | (10) suffix: No such realm "NULL" authentik-freeradius-1 | (10) [suffix] = noop authentik-freeradius-1 | (10) if (User-Name && !User-Password) { authentik-freeradius-1 | (10) if (User-Name && !User-Password) -> TRUE authentik-freeradius-1 | (10) if (User-Name && !User-Password) { authentik-freeradius-1 | (10) &User-Password := &User-Name -> 'thatsme' authentik-freeradius-1 | (10) } # update request = noop authentik-freeradius-1 | (10) } # if (User-Name && !User-Password) = noop authentik-freeradius-1 | (10) eap: Peer sent EAP Response (code 2) ID 122 length 6 authentik-freeradius-1 | (10) eap: Continuing tunnel setup authentik-freeradius-1 | (10) [eap] = ok authentik-freeradius-1 | (10) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange" authentik-freeradius-1 | (10) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone" authentik-freeradius-1 | (10) Sent Access-Challenge Id 11 from 10.1.2.1:1812 to 10.0.0.5:46092 length 1064 authentik-freeradius-1 | (10) EAP-Message = 0x017b03e815c000000f932f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c30180603551d200411300f300d060b2b0601040182be68010302301d0603551d0e041604144a7e2994148f5496048c2dc652719f5c7607bc98301f0603551d23041830168014701806d2e6c468e75987bb23a0b1d9f88d709ac4300d06092a864886f70d01010b0500038202010093980ec717a88f949a6937eb2936cd0debc7605e805a0b8630abbc62f35350a0fff1a7886d653db8558319b1bc2d2c31bfea23208c6426ca6f3e50e2572dc7d7a6d90c97a3ef13a70dac554e6549f528a113d0e2a20391b34f295a38966530b917f843450cff4f133d4478bdac234d2a688305ffe69e3220319337fe4903fcc7240c57c33a2c988bb015733f4175045e6d7af21979a035f0a9e10da845b181fd32ae894991b560372a07ebdb52499f94e2f94e271260f08711830b89d8e9ca8873d822f14d1cccd8a24be1e9cbd773 authentik-freeradius-1 | (10) Message-Authenticator = 0x00000000000000000000000000000000 authentik-freeradius-1 | (10) State = 0x13652bfd111e3ee02cb9291428252449 authentik-freeradius-1 | (10) Finished request authentik-freeradius-1 | Waking up in 4.9 seconds. authentik-freeradius-1 | (11) Received Access-Request Id 12 from 10.0.0.5:46092 to 10.1.2.1:1812 length 285 authentik-freeradius-1 | (11) User-Name = "thatsme" authentik-freeradius-1 | (11) NAS-IP-Address = 10.0.0.5 authentik-freeradius-1 | (11) NAS-Port-Id = "00000001" authentik-freeradius-1 | (11) NAS-Identifier = "TP-Link:263626d2c501" authentik-freeradius-1 | (11) Called-Station-Id = "26-36-26-D2-C5-01:Relevant" authentik-freeradius-1 | (11) NAS-Port-Type = Wireless-802.11 authentik-freeradius-1 | (11) Event-Timestamp = "Jun 30 2025 13:12:02 UTC" authentik-freeradius-1 | (11) Calling-Station-Id = "1E-04-F0-DE-D7-92" authentik-freeradius-1 | (11) Connect-Info = "CONNECT 54Mbps 802.11a" authentik-freeradius-1 | (11) WLAN-Pairwise-Cipher = 1027076 authentik-freeradius-1 | (11) WLAN-Group-Cipher = 1027076 authentik-freeradius-1 | (11) State = 0x13652bfd111e3ee02cb9291428252449 authentik-freeradius-1 | (11) Message-Authenticator = 0x3e816d3fa576146ddf2021a82ec4c68a authentik-freeradius-1 | (11) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello" authentik-freeradius-1 | (11) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate" authentik-freeradius-1 | (11) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone" authentik-freeradius-1 | (11) # Executing section authorize from file /opt/etc/raddb/sites-enabled/default authentik-freeradius-1 | (11) policy filter_username { authentik-freeradius-1 | (11) if (&User-Name) { authentik-freeradius-1 | (11) if (&User-Name) { authentik-freeradius-1 | (11) if (&User-Name =~ / /) { authentik-freeradius-1 | (11) if (&User-Name =~ /@[^@]*@/ ) { authentik-freeradius-1 | (11) if (&User-Name =~ /@[^@]*@/ ) -> FALSE authentik-freeradius-1 | (11) if (&User-Name =~ /\.\./ ) { authentik-freeradius-1 | (11) if (&User-Name =~ /\.\./ ) -> FALSE authentik-freeradius-1 | (11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { authentik-freeradius-1 | (11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE authentik-freeradius-1 | (11) if (&User-Name =~ /\.$/) { authentik-freeradius-1 | (11) if (&User-Name =~ /\.$/) -> FALSE authentik-freeradius-1 | (11) if (&User-Name =~ /@\./) { authentik-freeradius-1 | (11) if (&User-Name =~ /@\./) -> FALSE authentik-freeradius-1 | (11) } # if (&User-Name) = notfound authentik-freeradius-1 | (11) } # policy filter_username = notfound authentik-freeradius-1 | (11) [preprocess] = ok authentik-freeradius-1 | (11) [chap] = noop authentik-freeradius-1 | (11) [mschap] = noop authentik-freeradius-1 | (11) [digest] = noop authentik-freeradius-1 | (11) suffix: Checking for suffix after "@" authentik-freeradius-1 | (11) suffix: No '@' in User-Name = "thatsme", looking up realm NULL authentik-freeradius-1 | (11) suffix: No such realm "NULL" authentik-freeradius-1 | (11) [suffix] = noop authentik-freeradius-1 | (11) if (User-Name && !User-Password) { authentik-freeradius-1 | (11) if (User-Name && !User-Password) -> TRUE authentik-freeradius-1 | (11) if (User-Name && !User-Password) { authentik-freeradius-1 | (11) &User-Password := &User-Name -> 'thatsme' authentik-freeradius-1 | (11) } # update request = noop authentik-freeradius-1 | (11) } # if (User-Name && !User-Password) = noop authentik-freeradius-1 | (11) eap: Continuing tunnel setup authentik-freeradius-1 | (11) [eap] = ok authentik-freeradius-1 | (11) } # authorize = ok authentik-freeradius-1 | (11) Found Auth-Type = eap authentik-freeradius-1 | (11) # Executing group from file /opt/etc/raddb/sites-enabled/default authentik-freeradius-1 | (11) authenticate { authentik-freeradius-1 | (11) eap: Removing EAP session with state 0x13652bfd111e3ee0 authentik-freeradius-1 | (11) eap: Previous EAP request found for state 0x13652bfd111e3ee0, released from the list authentik-freeradius-1 | (11) eap: Peer sent packet with method EAP TTLS (21) authentik-freeradius-1 | (11) eap: Calling submodule eap_ttls to process data authentik-freeradius-1 | (11) eap_ttls: Authenticate authentik-freeradius-1 | (11) eap_ttls: (TLS) Peer ACKed our handshake fragment authentik-freeradius-1 | (11) eap: Sending EAP Request (code 1) ID 124 length 1000 authentik-freeradius-1 | (11) eap: EAP session adding &reply:State = 0x13652bfd10193ee0 authentik-freeradius-1 | (11) [eap] = handled authentik-freeradius-1 | (11) } # authenticate = handled authentik-freeradius-1 | (11) Using Post-Auth-Type Challenge authentik-freeradius-1 | (11) # Executing group from file /opt/etc/raddb/sites-enabled/default authentik-freeradius-1 | (11) Challenge { ... } # empty sub-section is ignored authentik-freeradius-1 | (11) session-state: Saving cached attributes authentik-freeradius-1 | (11) Framed-MTU = 994 authentik-freeradius-1 | (11) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello" authentik-freeradius-1 | (11) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello" authentik-freeradius-1 | (11) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate" authentik-freeradius-1 | (11) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange" authentik-freeradius-1 | (11) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone" authentik-freeradius-1 | (11) Sent Access-Challenge Id 12 from 10.1.2.1:1812 to 10.0.0.5:46092 length 1064 authentik-freeradius-1 | (11) EAP-Message = 0x017c03e815c000000f933127302506035504030c1e52656c6576616e7420436572746966696361746520417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a0282020100e55d87d38cf2c678cd5e9b9cf81d94b6b91cd6463f8d77ec2fc375c2b6b502157c3ead93d845cda3997b1f428ee037cc776726254b9d4746fbf022bbf59228b2b912925af38f8647bc270e8052662caf474f4607aabb9b484b4b3cecfeafd6c483f7f3f77680ae050a7708020d92bda2c75a55113d207dc9511d2e1cac2e4b6dbed4f86a604e08dca9285f4edaf786c6e35f10f91bdad17e23ab955aa3e0f8c29fccedd093d20811fe24aefdc0b7635cb7c9e89a0dbe073a4e7f16180c21594c71660ccf797685939894048d34a8140428b943cb915289a0fc98b52316853f150037f925946cf9be5bfbdebd22bd12041ba4234091b663c0660b86a509bde5ed5116c928fea2bd51297cd2b1c47b076fe41b4a0daf19d765a1e6da397ce03b2816cedd authentik-freeradius-1 | (11) Message-Authenticator = 0x00000000000000000000000000000000 authentik-freeradius-1 | (11) State = 0x13652bfd10193ee02cb9291428252449 authentik-freeradius-1 | (11) Finished request authentik-freeradius-1 | Waking up in 4.9 seconds. authentik-freeradius-1 | (12) Received Access-Request Id 13 from 10.0.0.5:46092 to 10.1.2.1:1812 length 285 authentik-freeradius-1 | (12) User-Name = "thatsme" authentik-freeradius-1 | (12) NAS-Port-Id = "00000001" authentik-freeradius-1 | (12) NAS-Identifier = "TP-Link:263626d2c501" authentik-freeradius-1 | (12) Called-Station-Id = "26-36-26-D2-C5-01:Relevant" authentik-freeradius-1 | (12) NAS-Port-Type = Wireless-802.11 authentik-freeradius-1 | (12) Event-Timestamp = "Jun 30 2025 13:12:02 UTC" authentik-freeradius-1 | (12) Service-Type = Framed-User authentik-freeradius-1 | (12) NAS-Port = 1 authentik-freeradius-1 | (12) Calling-Station-Id = "1E-04-F0-DE-D7-92" authentik-freeradius-1 | (12) Connect-Info = "CONNECT 54Mbps 802.11a" authentik-freeradius-1 | (12) Acct-Session-Id = "263626d2c501-9F3FBFEE3494B7C3" authentik-freeradius-1 | (12) Acct-Multi-Session-Id = "1B9880FB001579F3" authentik-freeradius-1 | (12) WLAN-Pairwise-Cipher = 1027076 authentik-freeradius-1 | (12) WLAN-Group-Cipher = 1027076 authentik-freeradius-1 | (12) WLAN-Group-Mgmt-Cipher = 1027078 authentik-freeradius-1 | (12) Framed-MTU = 1400 authentik-freeradius-1 | (12) EAP-Message = 0x027c00061500 authentik-freeradius-1 | (12) State = 0x13652bfd10193ee02cb9291428252449 authentik-freeradius-1 | (12) Message-Authenticator = 0x768549e29056b2a6c1056c54eb5f1701 authentik-freeradius-1 | (12) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello" authentik-freeradius-1 | (12) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate" authentik-freeradius-1 | (12) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange" authentik-freeradius-1 | (12) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone" authentik-freeradius-1 | (12) # Executing section authorize from file /opt/etc/raddb/sites-enabled/default authentik-freeradius-1 | (12) authorize { authentik-freeradius-1 | (12) policy filter_username { authentik-freeradius-1 | (12) if (&User-Name) -> TRUE authentik-freeradius-1 | (12) if (&User-Name) { authentik-freeradius-1 | (12) if (&User-Name =~ / /) { authentik-freeradius-1 | (12) if (&User-Name =~ / /) -> FALSE authentik-freeradius-1 | (12) if (&User-Name =~ /@[^@]*@/ ) { authentik-freeradius-1 | (12) if (&User-Name =~ /@[^@]*@/ ) -> FALSE authentik-freeradius-1 | (12) if (&User-Name =~ /\.\./ ) { authentik-freeradius-1 | (12) if (&User-Name =~ /\.\./ ) -> FALSE authentik-freeradius-1 | (12) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { authentik-freeradius-1 | (12) if (&User-Name =~ /@\./) -> FALSE authentik-freeradius-1 | (12) } # if (&User-Name) = notfound authentik-freeradius-1 | (12) } # policy filter_username = notfound authentik-freeradius-1 | (12) [preprocess] = ok authentik-freeradius-1 | (12) [chap] = noop authentik-freeradius-1 | (12) [mschap] = noop authentik-freeradius-1 | (12) [digest] = noop authentik-freeradius-1 | (13) Received Access-Request Id 14 from 10.0.0.5:46092 to 10.1.2.1:1812 length 285 authentik-freeradius-1 | (13) User-Name = "thatsme" authentik-freeradius-1 | (13) NAS-IP-Address = 10.0.0.5 authentik-freeradius-1 | (13) NAS-Port-Id = "00000001" authentik-freeradius-1 | (13) NAS-Identifier = "TP-Link:263626d2c501" authentik-freeradius-1 | (13) Called-Station-Id = "26-36-26-D2-C5-01:Relevant" authentik-freeradius-1 | (13) NAS-Port-Type = Wireless-802.11 authentik-freeradius-1 | (13) Event-Timestamp = "Jun 30 2025 13:12:02 UTC" authentik-freeradius-1 | (13) Service-Type = Framed-User authentik-freeradius-1 | (13) NAS-Port = 1 authentik-freeradius-1 | (13) Calling-Station-Id = "1E-04-F0-DE-D7-92" authentik-freeradius-1 | (13) Connect-Info = "CONNECT 54Mbps 802.11a" authentik-freeradius-1 | (13) Acct-Session-Id = "263626d2c501-9F3FBFEE3494B7C3" authentik-freeradius-1 | (13) Acct-Multi-Session-Id = "1B9880FB001579F3" authentik-freeradius-1 | (13) WLAN-Pairwise-Cipher = 1027076 authentik-freeradius-1 | (13) WLAN-Group-Cipher = 1027076 authentik-freeradius-1 | (13) WLAN-AKM-Suite = 1027073 authentik-freeradius-1 | (13) WLAN-Group-Mgmt-Cipher = 1027078 authentik-freeradius-1 | (13) Framed-MTU = 1400 authentik-freeradius-1 | (13) EAP-Message = 0x027d00061500 authentik-freeradius-1 | (13) State = 0x13652bfd17183ee02cb9291428252449 authentik-freeradius-1 | (13) Message-Authenticator = 0xac7e4c54f452892a4f843cb1118bb999 authentik-freeradius-1 | (13) Restoring &session-state authentik-freeradius-1 | (13) &session-state:Framed-MTU = 994 authentik-freeradius-1 | (13) &session-state:TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello" authentik-freeradius-1 | (13) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello" authentik-freeradius-1 | (13) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate" authentik-freeradius-1 | (13) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange" authentik-freeradius-1 | (13) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone" authentik-freeradius-1 | (13) if (&User-Name =~ /\.\./ ) { authentik-freeradius-1 | (13) if (&User-Name =~ /\.\./ ) -> FALSE authentik-freeradius-1 | (13) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { authentik-freeradius-1 | (13) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE authentik-freeradius-1 | (13) if (&User-Name =~ /\.$/) { authentik-freeradius-1 | (13) if (&User-Name =~ /\.$/) -> FALSE authentik-freeradius-1 | (13) if (&User-Name =~ /@\./) { authentik-freeradius-1 | (13) if (&User-Name =~ /@\./) -> FALSE authentik-freeradius-1 | (13) } # if (&User-Name) = notfound authentik-freeradius-1 | (13) } # policy filter_username = notfound authentik-freeradius-1 | (13) [preprocess] = ok authentik-freeradius-1 | (13) [chap] = noop authentik-freeradius-1 | (13) [mschap] = noop authentik-freeradius-1 | (13) [digest] = noop authentik-freeradius-1 | (13) suffix: Checking for suffix after "@" authentik-freeradius-1 | (13) suffix: No '@' in User-Name = "thatsme", looking up realm NULL authentik-freeradius-1 | (13) suffix: No such realm "NULL" authentik-freeradius-1 | (13) [suffix] = noop authentik-freeradius-1 | (13) if (User-Name && !User-Password) { authentik-freeradius-1 | (13) if (User-Name && !User-Password) -> TRUE authentik-freeradius-1 | (14) Received Access-Request Id 15 from 10.0.0.5:46092 to 10.1.2.1:1812 length 378 authentik-freeradius-1 | (14) User-Name = "thatsme" authentik-freeradius-1 | (14) NAS-IP-Address = 10.0.0.5 authentik-freeradius-1 | (14) NAS-Port-Id = "00000001" authentik-freeradius-1 | (14) NAS-Identifier = "TP-Link:263626d2c501" authentik-freeradius-1 | (14) Called-Station-Id = "26-36-26-D2-C5-01:Relevant" authentik-freeradius-1 | (14) NAS-Port-Type = Wireless-802.11 authentik-freeradius-1 | (14) Event-Timestamp = "Jun 30 2025 13:12:02 UTC" authentik-freeradius-1 | (14) Service-Type = Framed-User authentik-freeradius-1 | (14) NAS-Port = 1 authentik-freeradius-1 | (14) Calling-Station-Id = "1E-04-F0-DE-D7-92" authentik-freeradius-1 | (14) Connect-Info = "CONNECT 54Mbps 802.11a" authentik-freeradius-1 | (14) Acct-Session-Id = "263626d2c501-9F3FBFEE3494B7C3" authentik-freeradius-1 | (14) Acct-Multi-Session-Id = "1B9880FB001579F3" authentik-freeradius-1 | (14) WLAN-Pairwise-Cipher = 1027076 authentik-freeradius-1 | (14) WLAN-Group-Cipher = 1027076 authentik-freeradius-1 | (14) WLAN-AKM-Suite = 1027073 authentik-freeradius-1 | (14) WLAN-Group-Mgmt-Cipher = 1027078 authentik-freeradius-1 | (14) Framed-MTU = 1400 authentik-freeradius-1 | (14) if (&User-Name =~ /\.$/) { authentik-freeradius-1 | (14) if (&User-Name =~ /\.$/) -> FALSE authentik-freeradius-1 | (14) if (&User-Name =~ /@\./) { authentik-freeradius-1 | (14) if (&User-Name =~ /@\./) -> FALSE authentik-freeradius-1 | (14) } # if (&User-Name) = notfound authentik-freeradius-1 | (14) } # policy filter_username = notfound authentik-freeradius-1 | (14) [preprocess] = ok authentik-freeradius-1 | (14) [chap] = noop authentik-freeradius-1 | (14) [mschap] = noop authentik-freeradius-1 | (14) [digest] = noop authentik-freeradius-1 | (14) suffix: Checking for suffix after "@" authentik-freeradius-1 | (14) suffix: No '@' in User-Name = "thatsme", looking up realm NULL authentik-freeradius-1 | (14) suffix: No such realm "NULL" authentik-freeradius-1 | (14) [suffix] = noop authentik-freeradius-1 | (14) if (User-Name && !User-Password) { authentik-freeradius-1 | (14) if (User-Name && !User-Password) -> TRUE authentik-freeradius-1 | (14) if (User-Name && !User-Password) { authentik-freeradius-1 | (14) update request { authentik-freeradius-1 | (14) &User-Password := &User-Name -> 'thatsme' authentik-freeradius-1 | (14) } # update request = noop authentik-freeradius-1 | (14) eap: Peer sent EAP Response (code 2) ID 126 length 99 authentik-freeradius-1 | (14) eap: Continuing tunnel setup authentik-freeradius-1 | (14) [eap] = ok authentik-freeradius-1 | (14) } # authorize = ok authentik-freeradius-1 | (14) Found Auth-Type = eap authentik-freeradius-1 | (14) # Executing group from file /opt/etc/raddb/sites-enabled/default authentik-freeradius-1 | (14) authenticate { authentik-freeradius-1 | (14) eap: Removing EAP session with state 0x13652bfd161b3ee0 authentik-freeradius-1 | (14) eap: Previous EAP request found for state 0x13652bfd161b3ee0, released from the list authentik-freeradius-1 | (14) eap: Peer sent packet with method EAP TTLS (21) authentik-freeradius-1 | (14) eap: Calling submodule eap_ttls to process data authentik-freeradius-1 | (14) eap_ttls: Authenticate authentik-freeradius-1 | (14) eap_ttls: (TLS) EAP Done initial handshake authentik-freeradius-1 | (14) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write server done authentik-freeradius-1 | (14) eap_ttls: (TLS) TTLS - recv TLS 1.2 Handshake, ClientKeyExchange authentik-freeradius-1 | (14) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS read client key exchange authentik-freeradius-1 | (14) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS read change cipher spec authentik-freeradius-1 | (14) eap_ttls: (TLS) TTLS - recv TLS 1.2 Handshake, Finished authentik-freeradius-1 | (14) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS read finished authentik-freeradius-1 | (14) eap_ttls: (TLS) TTLS - send TLS 1.2 ChangeCipherSpec authentik-freeradius-1 | (14) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write change cipher spec authentik-freeradius-1 | (14) eap_ttls: (TLS) TTLS - send TLS 1.2 Handshake, Finished authentik-freeradius-1 | (14) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write finished authentik-freeradius-1 | (14) eap_ttls: (TLS) TTLS - Handshake state - SSL negotiation finished successfully authentik-freeradius-1 | (14) eap_ttls: (TLS) TTLS - Connection Established authentik-freeradius-1 | (14) eap_ttls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256" authentik-freeradius-1 | (14) eap_ttls: TLS-Session-Version = "TLS 1.2" authentik-freeradius-1 | (14) eap: Sending EAP Request (code 1) ID 127 length 61 authentik-freeradius-1 | (14) eap: EAP session adding &reply:State = 0x13652bfd151a3ee0 authentik-freeradius-1 | (14) [eap] = handled authentik-freeradius-1 | (14) } # authenticate = handled authentik-freeradius-1 | (14) Using Post-Auth-Type Challenge authentik-freeradius-1 | (14) # Executing group from file /opt/etc/raddb/sites-enabled/default authentik-freeradius-1 | (14) Challenge { ... } # empty sub-section is ignored authentik-freeradius-1 | (14) session-state: Saving cached attributes authentik-freeradius-1 | (14) Framed-MTU = 994 authentik-freeradius-1 | (14) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello" authentik-freeradius-1 | (14) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello" authentik-freeradius-1 | (14) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate" authentik-freeradius-1 | (14) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange" authentik-freeradius-1 | (14) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone" authentik-freeradius-1 | (14) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.2 Handshake, ClientKeyExchange" authentik-freeradius-1 | (14) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.2 Handshake, Finished" authentik-freeradius-1 | (14) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 ChangeCipherSpec" authentik-freeradius-1 | (14) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Finished" authentik-freeradius-1 | (14) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256" authentik-freeradius-1 | (14) TLS-Session-Version = "TLS 1.2" authentik-freeradius-1 | (14) Sent Access-Challenge Id 15 from 10.1.2.1:1812 to 10.0.0.5:46092 length 119 authentik-freeradius-1 | (14) EAP-Message = 0x017f003d1580000000331403030001011603030028885d67ae234bf583bbd727193f412d31587ea490ff35ea5ad2b97ca448267b32c534f76445568b6a authentik-freeradius-1 | (14) Message-Authenticator = 0x00000000000000000000000000000000 authentik-freeradius-1 | (14) State = 0x13652bfd151a3ee02cb9291428252449 authentik-freeradius-1 | (14) Finished request authentik-freeradius-1 | Waking up in 4.9 seconds. authentik-freeradius-1 | (15) Received Access-Request Id 16 from 10.0.0.5:46092 to 10.1.2.1:1812 length 358 authentik-freeradius-1 | (15) User-Name = "thatsme" authentik-freeradius-1 | (15) } # if (&User-Name) = notfound authentik-freeradius-1 | (15) } # policy filter_username = notfound authentik-freeradius-1 | (15) eap: Peer sent packet with method EAP TTLS (21) authentik-freeradius-1 | (15) eap: Calling submodule eap_ttls to process data authentik-freeradius-1 | (15) eap_ttls: Authenticate authentik-freeradius-1 | (15) eap_ttls: (TLS) EAP Done initial handshake authentik-freeradius-1 | (15) eap_ttls: Session established. Proceeding to decode tunneled attributes authentik-freeradius-1 | (15) eap_ttls: Got tunneled request authentik-freeradius-1 | (15) eap_ttls: User-Name = "testuser" authentik-freeradius-1 | (15) Expecting proxy response no later than 29.667657 seconds from now authentik-freeradius-1 | Waking up in 4.5 seconds. authentik-freeradius-1 | Suppressing duplicate proxied request (too fast) to home server 172.16.1.7 port 1812 - ID: 15 authentik-freeradius-1 | Waking up in 3.9 seconds. authentik-freeradius-1 | (8) Cleaning up request packet ID 9 with timestamp +1250 due to cleanup_delay was reached authentik-freeradius-1 | (9) Cleaning up request packet ID 10 with timestamp +1250 due to cleanup_delay was reached authentik-freeradius-1 | (10) Cleaning up request packet ID 11 with timestamp +1250 due to cleanup_delay was reached authentik-freeradius-1 | (11) Cleaning up request packet ID 12 with timestamp +1251 due to cleanup_delay was reached authentik-freeradius-1 | (12) Cleaning up request packet ID 13 with timestamp +1251 due to cleanup_delay was reached authentik-freeradius-1 | (13) Cleaning up request packet ID 14 with timestamp +1251 due to cleanup_delay was reached authentik-freeradius-1 | (14) Cleaning up request packet ID 15 with timestamp +1251 due to cleanup_delay was reached authentik-freeradius-1 | Waking up in 25.0 seconds. authentik-freeradius-1 | (15) !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! authentik-freeradius-1 | (15) BlastRADIUS check: Received packet without Message-Authenticator from home_server authentik_radius_outpost authentik-freeradius-1 | (15) !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! authentik-freeradius-1 | (15) The packet does not contain Message-Authenticator, which is a security issue authentik-freeradius-1 | (15) UPGRADE THE HOME SERVER AS YOUR NETWORK IS VULNERABLE TO THE BLASTRADIUS ATTACK. authentik-freeradius-1 | (15) Once the home server is upgraded, set "require_message_authenticator = true" for home_server authentik_radius_outpost authentik-freeradius-1 | (15) !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! authentik-freeradius-1 | (15) Clearing existing &reply: attributes authentik-freeradius-1 | (15) Received Access-Accept Id 15 from 172.16.1.7:1812 to 10.1.2.1:47859 length 20 authentik-freeradius-1 | (15) server default { authentik-freeradius-1 | (15) } authentik-freeradius-1 | (15) Found Auth-Type = eap authentik-freeradius-1 | (15) Found Auth-Type = Accept authentik-freeradius-1 | (15) ERROR: Warning: Found 2 auth-types on request for user 'thatsme' authentik-freeradius-1 | (15) Auth-Type = Accept, accepting the user authentik-freeradius-1 | (15) # Executing section post-auth from file /opt/etc/raddb/sites-enabled/default authentik-freeradius-1 | (15) post-auth { authentik-freeradius-1 | (15) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { authentik-freeradius-1 | (15) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE authentik-freeradius-1 | (15) update { authentik-freeradius-1 | (15) &reply::Framed-MTU += &session-state:Framed-MTU[*] -> 994 authentik-freeradius-1 | (15) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello' authentik-freeradius-1 | (15) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TTLS - send TLS 1.2 Handshake, ServerHello' authentik-freeradius-1 | (15) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TTLS - send TLS 1.2 Handshake, Certificate' authentik-freeradius-1 | (15) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange' authentik-freeradius-1 | (15) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone' authentik-freeradius-1 | (15) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TTLS - recv TLS 1.2 Handshake, ClientKeyExchange' authentik-freeradius-1 | (15) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TTLS - recv TLS 1.2 Handshake, Finished' authentik-freeradius-1 | (15) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TTLS - send TLS 1.2 ChangeCipherSpec' authentik-freeradius-1 | (15) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TTLS - send TLS 1.2 Handshake, Finished' authentik-freeradius-1 | (15) &reply::TLS-Session-Cipher-Suite += &session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES128-GCM-SHA256' authentik-freeradius-1 | (15) &reply::TLS-Session-Version += &session-state:TLS-Session-Version[*] -> 'TLS 1.2' authentik-freeradius-1 | (15) } # update = noop authentik-freeradius-1 | (15) [exec] = noop authentik-freeradius-1 | (15) policy remove_reply_message_if_eap { authentik-freeradius-1 | (15) if (&reply:EAP-Message && &reply:Reply-Message) { authentik-freeradius-1 | (15) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE authentik-freeradius-1 | (15) else { authentik-freeradius-1 | (15) [noop] = noop authentik-freeradius-1 | (15) } # else = noop authentik-freeradius-1 | (15) } # policy remove_reply_message_if_eap = noop authentik-freeradius-1 | (15) if (EAP-Key-Name && &reply:EAP-Session-Id) { authentik-freeradius-1 | (15) if (EAP-Key-Name && &reply:EAP-Session-Id) -> FALSE authentik-freeradius-1 | (15) update reply { authentik-freeradius-1 | (15) &Tunnel-Type = VLAN authentik-freeradius-1 | (15) &Tunnel-Medium-Type = IEEE-802 authentik-freeradius-1 | (15) } # update reply = noop authentik-freeradius-1 | (15) if (LDAP-Group == "Group1") { authentik-freeradius-1 | (15) Searching for user in group "Group1" authentik-freeradius-1 | rlm_ldap (ldap): You probably need to lower "min" authentik-freeradius-1 | rlm_ldap (ldap): Closing expired connection (6) - Hit lifetime limit authentik-freeradius-1 | rlm_ldap (ldap): You probably need to lower "min" authentik-freeradius-1 | rlm_ldap (ldap): Closing expired connection (5) - Hit lifetime limit authentik-freeradius-1 | rlm_ldap (ldap): Waiting for bind result... authentik-freeradius-1 | rlm_ldap (ldap): Bind successful authentik-freeradius-1 | (15) User is not a member of "Group1" authentik-freeradius-1 | (15) if (LDAP-Group == "Group1") -> FALSE authentik-freeradius-1 | (15) elsif (LDAP-Group == "Group2") { authentik-freeradius-1 | (15) Searching for user in group "Group2" authentik-freeradius-1 | rlm_ldap (ldap): Reserved connection (7) authentik-freeradius-1 | (15) Using user DN from request "cn=testuser,ou=users,dc=ldap,dc=example,dc=com" authentik-freeradius-1 | (15) Checking for user in group objects authentik-freeradius-1 | (15) EXPAND (&(cn=Group2)(objectClass=posixGroup)(|(member=%{control:LDAP-UserDn})(cn=%{%{&control:Stripped-User-Name}:-%{&control:User-Name}}))) authentik-freeradius-1 | (15) --> (&(cn=Group2)(objectClass=posixGroup)(|(member=cn\3dtestuser\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=testuser))) authentik-freeradius-1 | (15) Performing search in "ou=groups,dc=ldap,dc=example,dc=com" with filter "(&(cn=Group2)(objectClass=posixGroup)(|(member=cn\3dtestuser\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=testuser)))", scope "sub" authentik-freeradius-1 | (15) Waiting for search result... authentik-freeradius-1 | (15) Search returned no results authentik-freeradius-1 | (15) Checking user object's memberOf attributes authentik-freeradius-1 | (15) Performing unfiltered search in "cn=testuser,ou=users,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (15) Waiting for search result... authentik-freeradius-1 | (15) Processing memberOf value "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (15) Resolving group DN "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (15) Performing unfiltered search in "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (15) Waiting for search result... authentik-freeradius-1 | (15) Group DN "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "Group3" authentik-freeradius-1 | (15) Processing memberOf value "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (15) Resolving group DN "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (15) Performing unfiltered search in "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (15) Waiting for search result... authentik-freeradius-1 | (15) Group DN "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "Group4" authentik-freeradius-1 | (15) Processing memberOf value "cn=Group5,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (15) Resolving group DN "cn=Group5,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (15) Performing unfiltered search in "cn=Group5,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (15) Waiting for search result... authentik-freeradius-1 | (15) Group DN "cn=Group5,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "Group5" authentik-freeradius-1 | rlm_ldap (ldap): Released connection (7) authentik-freeradius-1 | (15) elsif (LDAP-Group == "Group6") { authentik-freeradius-1 | (15) Searching for user in group "Group6" authentik-freeradius-1 | rlm_ldap (ldap): Reserved connection (8) authentik-freeradius-1 | (15) Using user DN from request "cn=testuser,ou=users,dc=ldap,dc=example,dc=com" authentik-freeradius-1 | (15) Checking for user in group objects authentik-freeradius-1 | (15) EXPAND (&(cn=Group6)(objectClass=posixGroup)(|(member=%{control:LDAP-UserDn})(cn=%{%{&control:Stripped-User-Name}:-%{&control:User-Name}}))) authentik-freeradius-1 | (15) --> (&(cn=Group6)(objectClass=posixGroup)(|(member=cn\3dtestuser\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=testuser))) authentik-freeradius-1 | (15) Performing search in "ou=groups,dc=ldap,dc=example,dc=com" with filter "(&(cn=Group6)(objectClass=posixGroup)(|(member=cn\3dtestuser\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=testuser)))", scope "sub" authentik-freeradius-1 | (15) Waiting for search result... authentik-freeradius-1 | (15) Search returned no results authentik-freeradius-1 | (15) Checking user object's memberOf attributes authentik-freeradius-1 | (15) Waiting for search result... authentik-freeradius-1 | (15) Processing memberOf value "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (15) Resolving group DN "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (15) Performing unfiltered search in "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (15) Waiting for search result... authentik-freeradius-1 | (15) Group DN "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "Group3" authentik-freeradius-1 | (15) Processing memberOf value "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (15) Resolving group DN "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (15) Performing unfiltered search in "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (15) Waiting for search result... authentik-freeradius-1 | (15) Group DN "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "Group4" authentik-freeradius-1 | (15) Processing memberOf value "cn=Group5,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (15) Resolving group DN "cn=Group5,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (15) Group DN "cn=Group5,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "Group5" authentik-freeradius-1 | rlm_ldap (ldap): Released connection (8) authentik-freeradius-1 | (15) elsif (LDAP-Group == "Group6") -> FALSE authentik-freeradius-1 | (15) elsif (LDAP-Group == "Group7") { authentik-freeradius-1 | (15) Searching for user in group "Group7" authentik-freeradius-1 | rlm_ldap (ldap): Reserved connection (7) authentik-freeradius-1 | (15) Using user DN from request "cn=testuser,ou=users,dc=ldap,dc=example,dc=com" authentik-freeradius-1 | (15) Checking for user in group objects authentik-freeradius-1 | (15) EXPAND (&(cn=Group7)(objectClass=posixGroup)(|(member=%{control:LDAP-UserDn})(cn=%{%{&control:Stripped-User-Name}:-%{&control:User-Name}}))) authentik-freeradius-1 | (15) --> (&(cn=Group7)(objectClass=posixGroup)(|(member=cn\3dtestuser\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=testuser))) authentik-freeradius-1 | (15) Performing search in "ou=groups,dc=ldap,dc=example,dc=com" with filter "(&(cn=Group7)(objectClass=posixGroup)(|(member=cn\3dtestuser\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=testuser)))", scope "sub" authentik-freeradius-1 | (15) Search returned no results authentik-freeradius-1 | (15) Checking user object's memberOf attributes authentik-freeradius-1 | (15) Performing unfiltered search in "cn=testuser,ou=users,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (15) Waiting for search result... authentik-freeradius-1 | (15) Processing memberOf value "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (15) Resolving group DN "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (15) Performing unfiltered search in "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (15) Waiting for search result... authentik-freeradius-1 | (15) Group DN "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "Group3" authentik-freeradius-1 | (15) Processing memberOf value "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (15) Resolving group DN "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (15) Performing unfiltered search in "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (15) Waiting for search result... authentik-freeradius-1 | (15) Group DN "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "Group4" authentik-freeradius-1 | (15) Processing memberOf value "cn=Group5,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (15) Resolving group DN "cn=Group5,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (15) Performing unfiltered search in "cn=Group5,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (15) Waiting for search result... authentik-freeradius-1 | (15) Group DN "cn=Group5,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "Group5" authentik-freeradius-1 | rlm_ldap (ldap): Released connection (7) authentik-freeradius-1 | (15) User is not a member of "Group7" authentik-freeradius-1 | (15) elsif (LDAP-Group == "Group7") -> FALSE authentik-freeradius-1 | (15) elsif (LDAP-Group == "Group8") { authentik-freeradius-1 | (15) Searching for user in group "Group8" authentik-freeradius-1 | rlm_ldap (ldap): Reserved connection (8) authentik-freeradius-1 | (15) Using user DN from request "cn=testuser,ou=users,dc=ldap,dc=example,dc=com" authentik-freeradius-1 | (15) Checking for user in group objects authentik-freeradius-1 | (15) EXPAND (&(cn=Group8)(objectClass=posixGroup)(|(member=%{control:LDAP-UserDn})(cn=%{%{&control:Stripped-User-Name}:-%{&control:User-Name}}))) authentik-freeradius-1 | (15) --> (&(cn=Group8)(objectClass=posixGroup)(|(member=cn\3dtestuser\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=testuser))) authentik-freeradius-1 | (15) Performing search in "ou=groups,dc=ldap,dc=example,dc=com" with filter "(&(cn=Group8)(objectClass=posixGroup)(|(member=cn\3dtestuser\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=testuser)))", scope "sub" authentik-freeradius-1 | (15) Waiting for search result... authentik-freeradius-1 | (15) Search returned no results authentik-freeradius-1 | (15) Checking user object's memberOf attributes authentik-freeradius-1 | (15) Performing unfiltered search in "cn=testuser,ou=users,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (15) Processing memberOf value "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (15) Resolving group DN "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (15) Performing unfiltered search in "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (15) Waiting for search result... authentik-freeradius-1 | (15) Group DN "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "Group3" authentik-freeradius-1 | (15) Processing memberOf value "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (15) Resolving group DN "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (15) Performing unfiltered search in "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (15) Waiting for search result... authentik-freeradius-1 | (15) Group DN "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "Group4" authentik-freeradius-1 | (15) Processing memberOf value "cn=Group5,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (15) Waiting for search result... authentik-freeradius-1 | (15) Group DN "cn=Group5,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "Group5" authentik-freeradius-1 | rlm_ldap (ldap): Released connection (8) authentik-freeradius-1 | (15) User is not a member of "Group8" authentik-freeradius-1 | (15) elsif (LDAP-Group == "Group8") -> FALSE authentik-freeradius-1 | (15) elsif (LDAP-Group == "Group8_Archiv") { authentik-freeradius-1 | (15) Searching for user in group "Group8_Archiv" authentik-freeradius-1 | rlm_ldap (ldap): Reserved connection (7) authentik-freeradius-1 | (15) Using user DN from request "cn=testuser,ou=users,dc=ldap,dc=example,dc=com" authentik-freeradius-1 | (15) Search returned no results authentik-freeradius-1 | (15) Checking user object's memberOf attributes authentik-freeradius-1 | (15) Performing unfiltered search in "cn=testuser,ou=users,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (15) Waiting for search result... authentik-freeradius-1 | (15) Processing memberOf value "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (15) Resolving group DN "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (15) Waiting for search result... authentik-freeradius-1 | (15) Group DN "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "Group3" authentik-freeradius-1 | (15) Processing memberOf value "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (15) Resolving group DN "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (15) Performing unfiltered search in "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (15) Group DN "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "Group4" authentik-freeradius-1 | (15) Processing memberOf value "cn=Group5,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (15) Group DN "cn=Group5,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "Group5" authentik-freeradius-1 | rlm_ldap (ldap): Released connection (7) authentik-freeradius-1 | (15) User is not a member of "Group8_Archiv" authentik-freeradius-1 | (15) elsif (LDAP-Group == "Group8_Archiv") -> FALSE authentik-freeradius-1 | (15) elsif (LDAP-Group == "Group8_Finanzen") { authentik-freeradius-1 | (15) Searching for user in group "Group8_Finanzen" authentik-freeradius-1 | rlm_ldap (ldap): Reserved connection (8) authentik-freeradius-1 | (15) Using user DN from request "cn=testuser,ou=users,dc=ldap,dc=example,dc=com" authentik-freeradius-1 | (15) Checking for user in group objects authentik-freeradius-1 | (15) EXPAND (&(cn=Group8_Finanzen)(objectClass=posixGroup)(|(member=%{control:LDAP-UserDn})(cn=%{%{&control:Stripped-User-Name}:-%{&control:User-Name}}))) authentik-freeradius-1 | (15) --> (&(cn=Group8_Finanzen)(objectClass=posixGroup)(|(member=cn\3dtestuser\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=testuser))) authentik-freeradius-1 | (15) Performing search in "ou=groups,dc=ldap,dc=example,dc=com" with filter "(&(cn=Group8_Finanzen)(objectClass=posixGroup)(|(member=cn\3dtestuser\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=testuser)))", scope "sub" authentik-freeradius-1 | (15) Waiting for search result... authentik-freeradius-1 | (15) Search returned no results authentik-freeradius-1 | (15) Checking user object's memberOf attributes authentik-freeradius-1 | (15) Waiting for search result... authentik-freeradius-1 | (15) Processing memberOf value "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (15) Resolving group DN "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (15) Waiting for search result... authentik-freeradius-1 | (15) Group DN "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "Group3" authentik-freeradius-1 | (15) Processing memberOf value "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (15) Waiting for search result... authentik-freeradius-1 | (15) Group DN "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "Group4" authentik-freeradius-1 | (15) Processing memberOf value "cn=Group5,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (15) Resolving group DN "cn=Group5,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (15) Performing unfiltered search in "cn=Group5,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (15) Waiting for search result... authentik-freeradius-1 | (15) Group DN "cn=Group5,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "Group5" authentik-freeradius-1 | rlm_ldap (ldap): Released connection (8) authentik-freeradius-1 | (15) User is not a member of "Group8_Finanzen" authentik-freeradius-1 | (15) elsif (LDAP-Group == "Group8_Finanzen") -> FALSE authentik-freeradius-1 | (15) elsif (LDAP-Group == "Group8_Office") { authentik-freeradius-1 | (15) Searching for user in group "Group8_Office" authentik-freeradius-1 | rlm_ldap (ldap): Reserved connection (7) authentik-freeradius-1 | (15) Using user DN from request "cn=testuser,ou=users,dc=ldap,dc=example,dc=com" authentik-freeradius-1 | (15) Checking for user in group objects authentik-freeradius-1 | (15) EXPAND (&(cn=Group8_Office)(objectClass=posixGroup)(|(member=%{control:LDAP-UserDn})(cn=%{%{&control:Stripped-User-Name}:-%{&control:User-Name}}))) authentik-freeradius-1 | (15) --> (&(cn=Group8_Office)(objectClass=posixGroup)(|(member=cn\3dtestuser\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=testuser))) authentik-freeradius-1 | (15) Performing search in "ou=groups,dc=ldap,dc=example,dc=com" with filter "(&(cn=Group8_Office)(objectClass=posixGroup)(|(member=cn\3dtestuser\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=testuser)))", scope "sub" authentik-freeradius-1 | (15) Waiting for search result... authentik-freeradius-1 | (15) Search returned no results authentik-freeradius-1 | (15) Checking user object's memberOf attributes authentik-freeradius-1 | (15) Performing unfiltered search in "cn=testuser,ou=users,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (15) Waiting for search result... authentik-freeradius-1 | (15) Processing memberOf value "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (15) Resolving group DN "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (15) Performing unfiltered search in "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (15) Waiting for search result... authentik-freeradius-1 | (15) Group DN "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "Group3" authentik-freeradius-1 | (15) Processing memberOf value "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (15) Resolving group DN "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (15) Performing unfiltered search in "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (15) Waiting for search result... authentik-freeradius-1 | (15) Group DN "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "Group4" authentik-freeradius-1 | (15) Processing memberOf value "cn=Group5,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (15) Waiting for search result... authentik-freeradius-1 | (15) Group DN "cn=Group5,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "Group5" authentik-freeradius-1 | (15) elsif (LDAP-Group == "Group8_Office") -> FALSE authentik-freeradius-1 | (15) elsif (LDAP-Group == "Group8_VertraulicheDokumente") { authentik-freeradius-1 | (15) Search returned no results authentik-freeradius-1 | (15) Checking user object's memberOf attributes authentik-freeradius-1 | (15) Performing unfiltered search in "cn=testuser,ou=users,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (15) Waiting for search result... authentik-freeradius-1 | (15) Processing memberOf value "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (15) Resolving group DN "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (15) Performing unfiltered search in "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (15) Waiting for search result... authentik-freeradius-1 | (15) Group DN "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "Group3" authentik-freeradius-1 | (15) Processing memberOf value "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (15) Resolving group DN "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (15) Performing unfiltered search in "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (15) Group DN "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "Group4" authentik-freeradius-1 | (15) Processing memberOf value "cn=Group5,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (15) Resolving group DN "cn=Group5,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (15) Performing unfiltered search in "cn=Group5,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (15) Group DN "cn=Group5,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "Group5" authentik-freeradius-1 | rlm_ldap (ldap): Released connection (8) authentik-freeradius-1 | (15) User is not a member of "Group8_VertraulicheDokumente" authentik-freeradius-1 | (15) elsif (LDAP-Group == "Group8_VertraulicheDokumente") -> FALSE authentik-freeradius-1 | (15) elsif (LDAP-Group == "Group8_Vorsitz") { authentik-freeradius-1 | (15) Searching for user in group "Group8_Vorsitz" authentik-freeradius-1 | rlm_ldap (ldap): Reserved connection (7) authentik-freeradius-1 | (15) Using user DN from request "cn=testuser,ou=users,dc=ldap,dc=example,dc=com" authentik-freeradius-1 | (15) Checking for user in group objects authentik-freeradius-1 | (15) EXPAND (&(cn=Group8_Vorsitz)(objectClass=posixGroup)(|(member=%{control:LDAP-UserDn})(cn=%{%{&control:Stripped-User-Name}:-%{&control:User-Name}}))) authentik-freeradius-1 | (15) Search returned no results authentik-freeradius-1 | (15) Checking user object's memberOf attributes authentik-freeradius-1 | (15) Performing unfiltered search in "cn=testuser,ou=users,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (15) Waiting for search result... authentik-freeradius-1 | (15) Processing memberOf value "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (15) Resolving group DN "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (15) Performing unfiltered search in "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (15) Waiting for search result... authentik-freeradius-1 | (15) Group DN "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "Group3" authentik-freeradius-1 | (15) Processing memberOf value "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (15) Waiting for search result... authentik-freeradius-1 | (15) Group DN "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "Group4" authentik-freeradius-1 | (15) Processing memberOf value "cn=Group5,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (15) Waiting for search result... authentik-freeradius-1 | (15) Group DN "cn=Group5,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "Group5" authentik-freeradius-1 | rlm_ldap (ldap): Released connection (7) authentik-freeradius-1 | (15) elsif (LDAP-Group == "Group8_Vorsitz") -> FALSE authentik-freeradius-1 | (15) elsif (LDAP-Group == "Group14") { authentik-freeradius-1 | (15) Searching for user in group "Group14" authentik-freeradius-1 | rlm_ldap (ldap): Reserved connection (8) authentik-freeradius-1 | (15) Using user DN from request "cn=testuser,ou=users,dc=ldap,dc=example,dc=com" authentik-freeradius-1 | (15) Checking for user in group objects authentik-freeradius-1 | (15) EXPAND (&(cn=Group14)(objectClass=posixGroup)(|(member=%{control:LDAP-UserDn})(cn=%{%{&control:Stripped-User-Name}:-%{&control:User-Name}}))) authentik-freeradius-1 | (15) --> (&(cn=Group14)(objectClass=posixGroup)(|(member=cn\3dtestuser\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=testuser))) authentik-freeradius-1 | (15) Performing search in "ou=groups,dc=ldap,dc=example,dc=com" with filter "(&(cn=Group14)(objectClass=posixGroup)(|(member=cn\3dtestuser\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=testuser)))", scope "sub" authentik-freeradius-1 | (15) Waiting for search result... authentik-freeradius-1 | (15) Search returned no results authentik-freeradius-1 | (15) Checking user object's memberOf attributes authentik-freeradius-1 | (15) Performing unfiltered search in "cn=testuser,ou=users,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (15) Waiting for search result... authentik-freeradius-1 | (15) Processing memberOf value "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (15) Resolving group DN "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (15) Performing unfiltered search in "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (15) Waiting for search result... authentik-freeradius-1 | (15) Group DN "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "Group3" authentik-freeradius-1 | (15) Processing memberOf value "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (15) Resolving group DN "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (15) Performing unfiltered search in "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (15) Waiting for search result... authentik-freeradius-1 | (15) Group DN "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "Group4" authentik-freeradius-1 | (15) Processing memberOf value "cn=Group5,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (15) Waiting for search result... authentik-freeradius-1 | (15) Group DN "cn=Group5,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "Group5" authentik-freeradius-1 | rlm_ldap (ldap): Released connection (8) authentik-freeradius-1 | (15) User is not a member of "Group14" authentik-freeradius-1 | (15) elsif (LDAP-Group == "Group14") -> FALSE authentik-freeradius-1 | (15) elsif (LDAP-Group == "Group15") { authentik-freeradius-1 | (15) Searching for user in group "Group15" authentik-freeradius-1 | rlm_ldap (ldap): Reserved connection (7) authentik-freeradius-1 | (15) Using user DN from request "cn=testuser,ou=users,dc=ldap,dc=example,dc=com" authentik-freeradius-1 | (15) Checking for user in group objects authentik-freeradius-1 | (15) EXPAND (&(cn=Group15)(objectClass=posixGroup)(|(member=%{control:LDAP-UserDn})(cn=%{%{&control:Stripped-User-Name}:-%{&control:User-Name}}))) authentik-freeradius-1 | (15) --> (&(cn=Group15)(objectClass=posixGroup)(|(member=cn\3dtestuser\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=testuser))) authentik-freeradius-1 | (15) Performing search in "ou=groups,dc=ldap,dc=example,dc=com" with filter "(&(cn=Group15)(objectClass=posixGroup)(|(member=cn\3dtestuser\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=testuser)))", scope "sub" authentik-freeradius-1 | (15) Search returned no results authentik-freeradius-1 | (15) Checking user object's memberOf attributes authentik-freeradius-1 | (15) Performing unfiltered search in "cn=testuser,ou=users,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (15) Waiting for search result... authentik-freeradius-1 | (15) Processing memberOf value "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (15) Resolving group DN "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (15) Performing unfiltered search in "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (15) Waiting for search result... authentik-freeradius-1 | (15) Group DN "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "Group3" authentik-freeradius-1 | (15) Processing memberOf value "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (15) Resolving group DN "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (15) Performing unfiltered search in "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (15) Waiting for search result... authentik-freeradius-1 | (15) Group DN "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "Group4" authentik-freeradius-1 | (15) Processing memberOf value "cn=Group5,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (15) Resolving group DN "cn=Group5,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (15) Waiting for search result... authentik-freeradius-1 | (15) Group DN "cn=Group5,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "Group5" authentik-freeradius-1 | rlm_ldap (ldap): Released connection (7) authentik-freeradius-1 | (15) User is not a member of "Group15" authentik-freeradius-1 | (15) elsif (LDAP-Group == "Group15") -> FALSE authentik-freeradius-1 | (15) elsif (LDAP-Group == "Group5") { authentik-freeradius-1 | (15) Searching for user in group "Group5" authentik-freeradius-1 | rlm_ldap (ldap): Reserved connection (8) authentik-freeradius-1 | (15) Using user DN from request "cn=testuser,ou=users,dc=ldap,dc=example,dc=com" authentik-freeradius-1 | (15) Checking for user in group objects authentik-freeradius-1 | (15) EXPAND (&(cn=Group5)(objectClass=posixGroup)(|(member=%{control:LDAP-UserDn})(cn=%{%{&control:Stripped-User-Name}:-%{&control:User-Name}}))) authentik-freeradius-1 | (15) --> (&(cn=Group5)(objectClass=posixGroup)(|(member=cn\3dtestuser\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=testuser))) authentik-freeradius-1 | (15) Performing search in "ou=groups,dc=ldap,dc=example,dc=com" with filter "(&(cn=Group5)(objectClass=posixGroup)(|(member=cn\3dtestuser\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=testuser)))", scope "sub" authentik-freeradius-1 | (15) Waiting for search result... authentik-freeradius-1 | (15) User found in group object "cn=Group5,ou=groups,dc=ldap,dc=example,dc=com" authentik-freeradius-1 | rlm_ldap (ldap): Released connection (8) authentik-freeradius-1 | (15) elsif (LDAP-Group == "Group5") -> TRUE authentik-freeradius-1 | (15) elsif (LDAP-Group == "Group5") { authentik-freeradius-1 | (15) update reply { authentik-freeradius-1 | rlm_ldap (ldap): Reserved connection (7) authentik-freeradius-1 | (15) Performing search in "ou=groups,dc=ldap,dc=example,dc=com" with filter "(&(cn=Group5)(member=*testuser*))", scope "one" authentik-freeradius-1 | (15) Waiting for search result... authentik-freeradius-1 | rlm_ldap (ldap): Released connection (7) authentik-freeradius-1 | (15) EXPAND %{%{ldap:ldap:///ou=groups,dc=ldap,dc=example,dc=com?Tunnel-Private-Group-Id?one?(&(cn=Group5)(member=*%{&control:User-Name}*))}:-20} authentik-freeradius-1 | (15) --> 110 authentik-freeradius-1 | (15) &Tunnel-Private-Group-Id = 110 authentik-freeradius-1 | (15) } # update reply = noop authentik-freeradius-1 | (15) } # elsif (LDAP-Group == "Group5") = noop authentik-freeradius-1 | (15) ... skipping elsif: Preceding "if" was taken authentik-freeradius-1 | (15) ... skipping elsif: Preceding "if" was taken authentik-freeradius-1 | (15) ... skipping elsif: Preceding "if" was taken authentik-freeradius-1 | (15) ... skipping elsif: Preceding "if" was taken authentik-freeradius-1 | (15) ... skipping else: Preceding "if" was taken authentik-freeradius-1 | (15) [updated] = updated authentik-freeradius-1 | (15) } # post-auth = updated authentik-freeradius-1 | (15) Sent Access-Accept Id 16 from 10.1.2.1:1812 to 10.0.0.5:46092 length 61 authentik-freeradius-1 | (15) Framed-MTU += 994 authentik-freeradius-1 | (15) Tunnel-Type = VLAN authentik-freeradius-1 | (15) Tunnel-Medium-Type = IEEE-802 authentik-freeradius-1 | (15) Tunnel-Private-Group-Id = "110" authentik-freeradius-1 | (15) Finished request authentik-freeradius-1 | Waking up in 4.9 seconds. authentik-freeradius-1 | (15) Cleaning up request packet ID 16 with timestamp +1251 due to cleanup_delay was reached authentik-freeradius-1 | Ready to process requests
On Jul 9, 2025, at 12:35 PM, Christoph Egger via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I need to add MPPE keys in the reply packet for the WPA NAS to have an encrypted connection to the mobile client.
The MPPE keys are added automatically by the authentication method.
That is what the vendor says their WPA NAS requires for wireless clients. The documentation I found concerning to MPPE keys are related to MS-CHAP.
Sure. They're also used for EAP.
What keys/values can I use to add MPPE ? I am doing EAP-TTLS+PAP.
You don't "use values" for them. The values are calculated automatically. And the debug output below doesn't show it using TTLS+PAP.
The final Access-Accept should look like this:
Yes... we know that.
The full debug output:
That is NOT the full debug output. The documentation which you should have read by now explains what the full debug output is. But in any case, the debug output is large, but clear. I'll edit it and comment on it below.
authentik-freeradius-1 | (8) Received Access-Request Id 9 from 10.0.0.5:46092 to 10.1.2.1:1812 length 273
Why the extra text "authentik-freeradius-1 "? It doesn't add anything useful. i.e. the harder it is for people to follow the debug output, the harder it is to help you. There are a bunch of packets from (8) to (14) all obout TTLS, and then this:
authentik-freeradius-1 | Waking up in 4.9 seconds. authentik-freeradius-1 | (15) Received Access-Request Id 16 from 10.0.0.5:46092 to 10.1.2.1:1812 length 358 authentik-freeradius-1 | (15) User-Name = "thatsme" authentik-freeradius-1 | (15) } # if (&User-Name) = notfound authentik-freeradius-1 | (15) } # policy filter_username = notfound authentik-freeradius-1 | (15) eap: Peer sent packet with method EAP TTLS (21) authentik-freeradius-1 | (15) eap: Calling submodule eap_ttls to process data authentik-freeradius-1 | (15) eap_ttls: Authenticate authentik-freeradius-1 | (15) eap_ttls: (TLS) EAP Done initial handshake authentik-freeradius-1 | (15) eap_ttls: Session established. Proceeding to decode tunneled attributes authentik-freeradius-1 | (15) eap_ttls: Got tunneled request authentik-freeradius-1 | (15) eap_ttls: User-Name = "testuser" authentik-freeradius-1 | (15) Expecting proxy response no later than 29.667657 seconds from now
That's very weird. It should run the inner tunnel data through the virtual server "inner-tunnel". But I can't tell if that's been configured properly because the debug output has been edited to remove all of the startup information about the module configuration. Have I mentioned posting the FULL debug output before? Is there some reason why it's still being edited before posting?
authentik-freeradius-1 | Waking up in 4.5 seconds. authentik-freeradius-1 | Suppressing duplicate proxied request (too fast) to home server 172.16.1.7 port 1812 - ID: 15
That's also unusual, and shouldn't happen. There's something weird going on. Maybe with packets (0)..(7), but again I can't tell, because those have "helpfully" been removed.
authentik-freeradius-1 | (15) !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! authentik-freeradius-1 | (15) BlastRADIUS check: Received packet without Message-Authenticator from home_server authentik_radius_outpost authentik-freeradius-1 | (15) !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! authentik-freeradius-1 | (15) The packet does not contain Message-Authenticator, which is a security issue authentik-freeradius-1 | (15) UPGRADE THE HOME SERVER AS YOUR NETWORK IS VULNERABLE TO THE BLASTRADIUS ATTACK. authentik-freeradius-1 | (15) Once the home server is upgraded, set "require_message_authenticator = true" for home_server authentik_radius_outpost authentik-freeradius-1 | (15) !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! authentik-freeradius-1 | (15) Clearing existing &reply: attributes authentik-freeradius-1 | (15) Received Access-Accept Id 15 from 172.16.1.7:1812 to 10.1.2.1:47859 length 20 authentik-freeradius-1 | (15) server default { authentik-freeradius-1 | (15) }
The Access-Accept from the home server is empty, and doesn't contain the MPPE attributes. This reply is what's being sent back to the client. That's why the MPPE attributes are msising. You've somehow configured the server in a very unusual way, and perhaps have triggered a bug. But without the full debug output, it's impossible to say more. Did I mention POST THE FULL DEBUG OUTPUT? This is the last time I will say that. There is no excuse for this continual refusal to follow the documentation and clear instructions. Alan DeKok.
participants (2)
-
Alan DeKok -
Christoph Egger