Hi Alan, I'm facing the issue with configuration EAP-TTLS, LDAP and Perl and using test client as "eapol_test". Please find the debug logs below: rad_recv: Access-Request packet from host 127.0.0.1 port 45673, id=0, length=206 User-Name = "xxxxxxxx" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020000360175736572317676746e746b6a6b636b76656469756366767672636e657563756b6c766465637475726a646a666b676e7267 Message-Authenticator = 0x065b1291e4b6cff7cecc69db3a9b5b83 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "xxxxxxxx", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 54 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: Added pair Calling-Station-Id = 02-00-00-00-00-01 rlm_perl: Added pair Message-Authenticator = 0x065b1291e4b6cff7cecc69db3a9b5b83 rlm_perl: Added pair User-Name = xxxxxxxx rlm_perl: Added pair EAP-Message = 0x020000360175736572317676746e746b6a6b636b76656469756366767672636e657563756b6c766465637475726a646a666b676e7267 rlm_perl: Added pair Connect-Info = CONNECT 11Mbps 802.11b rlm_perl: Added pair EAP-Type = Identity rlm_perl: Added pair NAS-IP-Address = 127.0.0.1 rlm_perl: Added pair Framed-MTU = 1400 rlm_perl: Added pair Auth-Type = EAP ++[perl] returns ok ++[files] returns noop [ldap] performing user authorization for xxxxxxxx [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> xxxxxxxx [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=xxxxxxxx) [ldap] expand: dc=example,dc=com -> dc=example,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to 192.168.1.103:389, authentication 0 [ldap] bind as cn=admin,dc=example,dc=com/xxxxxxxx to 192.168.1.103:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in dc=example,dc=com, with filter (uid=xxxxxxxx) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] userPassword -> Cleartext-Password == "xxxxxxxx" [ldap] userPassword -> Password-With-Header == "xxxxxxxx" [ldap] looking for reply items in directory... [ldap] user xxxxxxxx authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok [pap] Config already contains "known good" password. Ignoring Password-With-Header [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group EAP {...} rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: Added pair Calling-Station-Id = 02-00-00-00-00-01 rlm_perl: Added pair Message-Authenticator = 0x065b1291e4b6cff7cecc69db3a9b5b83 rlm_perl: Added pair User-Name = xxxxxxxx rlm_perl: Added pair EAP-Message = 0x020000360175736572317676746e746b6a6b636b76656469756366767672636e657563756b6c766465637475726a646a666b676e7267 rlm_perl: Added pair Connect-Info = CONNECT 11Mbps 802.11b rlm_perl: Added pair EAP-Type = Identity rlm_perl: Added pair NAS-IP-Address = 127.0.0.1 rlm_perl: Added pair Framed-MTU = 1400 rlm_perl: Added pair h323-credit-amount = 100 rlm_perl: Added pair Cleartext-Password = xxxxxxxx rlm_perl: Added pair Password-With-Header = xxxxxxxx rlm_perl: Added pair Ldap-UserDn = uid=xxxxxxxx,ou=people,dc=example,dc=com rlm_perl: Added pair Auth-Type = EAP ++[perl] returns ok [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 0 to 127.0.0.1 port 45673 h323-credit-amount = "100" EAP-Message = 0x010100061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2a7f4cbf2a7e5963e2206d31c110709d Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 45673, id=1, length=271 User-Name = "xxxxxxxx" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020100651500160301005a010000560301507c49a86cfabf980d6b3d94daf27fe3f600a2320dbc3427626ca4b918ad885f00002800390038003500160013000a00330032002f000500040015001200090014001100080006000300ff020100000400230000 State = 0x2a7f4cbf2a7e5963e2206d31c110709d Message-Authenticator = 0x7984af4d41a5bfd6c39d9a472fe0cc17 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "xxxxxxxx", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 101 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group EAP {...} rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: Added pair State = 0x2a7f4cbf2a7e5963e2206d31c110709d rlm_perl: Added pair Calling-Station-Id = 02-00-00-00-00-01 rlm_perl: Added pair Message-Authenticator = 0x7984af4d41a5bfd6c39d9a472fe0cc17 rlm_perl: Added pair User-Name = xxxxxxxx rlm_perl: Added pair EAP-Message = 0x020100651500160301005a010000560301507c49a86cfabf980d6b3d94daf27fe3f600a2320dbc3427626ca4b918ad885f00002800390038003500160013000a00330032002f000500040015001200090014001100080006000300ff020100000400230000 rlm_perl: Added pair Connect-Info = CONNECT 11Mbps 802.11b rlm_perl: Added pair EAP-Type = EAP-TTLS rlm_perl: Added pair NAS-IP-Address = 127.0.0.1 rlm_perl: Added pair Framed-MTU = 1400 rlm_perl: Added pair h323-credit-amount = 100 rlm_perl: Added pair Auth-Type = EAP ++[perl] returns ok [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] (other): before/accept initialization [ttls] TLS_accept: before/accept initialization [ttls] <<< TLS 1.0 Handshake [length 005a], ClientHello [ttls] TLS_accept: SSLv3 read client hello A [ttls] >>> TLS 1.0 Handshake [length 0031], ServerHello [ttls] TLS_accept: SSLv3 write server hello A [ttls] >>> TLS 1.0 Handshake [length 02cd], Certificate [ttls] TLS_accept: SSLv3 write certificate A [ttls] >>> TLS 1.0 Handshake [length 018d], ServerKeyExchange [ttls] TLS_accept: SSLv3 write key exchange A [ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [ttls] TLS_accept: SSLv3 write server done A [ttls] TLS_accept: SSLv3 flush data [ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 1 to 127.0.0.1 port 45673 h323-credit-amount = "100" EAP-Message = 0x0102040015c0000004a316030100310200002d0301507c49a876d497d9f77288e6caa927ae9f07fcb259dfeb517d0ddbfa14c671c3000039010005ff0100010016030102cd0b0002c90002c60002c3308202bf308202280209008b00025017ffafe4300d06092a864886f70d01010505003081a3310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e310c300a060355040b130378797a312830260603550403141f224578616d706c6520436572746966696361746520417574686f72697479223120301e06092a86 EAP-Message = 0x4886f70d010901161161646d696e406578616d706c652e636f6d301e170d3132303931343136313931335a170d3133303931343136313931335a3081a3310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e310c300a060355040b130378797a312830260603550403141f224578616d706c6520436572746966696361746520417574686f72697479223120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100 EAP-Message = 0xc3d1b3c57f4c72c389bb132649aea31dd2d59953c56dc5e6a9630e5bf0902e8fbf68719eac848433d850602060ebc642c7cf0e121703ba1c152e713977216eef5f764473beafa4c53f51c96df814b4ab3b9de7ea22ba81d9b638d6333300a3fec763da2ad7f78574ac58c496749cbd1b22a732116ee9a25ae1131ce99ea00d310203010001300d06092a864886f70d01010505000381810007b898f0f249f93acd6b72df3a831a47c0a50b974b73da77b1824a9d77e8ce517299175fdc0c5e1610da5ad53fe266a585f30b23db1c980cc717acacc6f50ada63ca95daebed12b1ee47b704e6ccc2a84a44b27b0a17e14f19036e703a18c93687bdbe2b7e EAP-Message = 0x78e990b1fb0ab9c489ccde5194eeee3974c42c7c3b0e3bfb5b2901160301018d0c0001890080c51c91cdb5dca84043ba6593725729e34c8db0986ef811b01d68d07c6f04b760bbc897fd296a98bce2a9e42f042c06074b2196d7eed711f388cab4e53eaac23a9f6b0244de91671659f446ce85bb8898dfd490c60e0d313ba5a59f7718c43a8b5864192b3edd5a3c4a696b93fa28559d52cc52de8db8dcbff46d809a46bf34c300010200804321e02ced80d60dbdce5f94fe118280f401a58c2a9841bf073318ec6ac528ddddf128849ad36365c3a60b90e234dc959e312c6ad8d02bb330e66686b6dafe243a8188d46b270abd9a30d3a6f6e7e4454dcc EAP-Message = 0xb3c45b3ea56942954e0dbb66 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2a7f4cbf2b7d5963e2206d31c110709d Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 45673, id=2, length=176 User-Name = "xxxxxxxx" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020200061500 State = 0x2a7f4cbf2b7d5963e2206d31c110709d Message-Authenticator = 0x4d08a46158ad21253a616e97ad9ded18 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "xxxxxxxx", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group EAP {...} rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: Added pair State = 0x2a7f4cbf2b7d5963e2206d31c110709d rlm_perl: Added pair Calling-Station-Id = 02-00-00-00-00-01 rlm_perl: Added pair Message-Authenticator = 0x4d08a46158ad21253a616e97ad9ded18 rlm_perl: Added pair User-Name = xxxxxxxx rlm_perl: Added pair EAP-Message = 0x020200061500 rlm_perl: Added pair Connect-Info = CONNECT 11Mbps 802.11b rlm_perl: Added pair EAP-Type = EAP-TTLS rlm_perl: Added pair NAS-IP-Address = 127.0.0.1 rlm_perl: Added pair Framed-MTU = 1400 rlm_perl: Added pair h323-credit-amount = 100 rlm_perl: Added pair Auth-Type = EAP ++[perl] returns ok [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 2 to 127.0.0.1 port 45673 h323-credit-amount = "100" EAP-Message = 0x010300b71580000004a3f4da3a4fff56705c0118ee01841f0b363c07293ebcf69d05e1092c3e054bbdea541f00803a833293f40d96e86f2c849b5cdf9887eb868d3cac267e53b77c5ebe63b3a5e5989c08510c398b8dc3281bfdb5ae3578214cb26716be3557ca7f35d1a46a9a37b7b4d1eae9a10cace3b13dc194fb72249724b4b59c7dd62e66718bd50dcdb6ec376c57e4556cf4c44daa9c0adcf284e5c865714a7f71db352238d81e4207798016030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2a7f4cbf287c5963e2206d31c110709d Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 45673, id=3, length=374 User-Name = "xxxxxxxx" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020300cc1500160301008610000082008090fd20bda5d27eb2d4deee9e076d8f77a8b14a91f33c6620eb5a3896f8280acd0bbd5bb0da405e5b09a842867e6083d21ee749f7f0ba637c2dd89005b8b98bb354742b01d83c676aee9a014355fbeff4b546055a2e0c39fd5a43ddac2031b42f81902efe3f17199e8f8be74683d1b0e05f2f126d7650a084e2800d62f26ab50f1403010001011603010030ccdda6df2d462f7b0b12cc43b02ee696b4cde6befa312d4147968c9af09c1e95b3ee38f8bd2b2521d88f4ed09e2f6969 State = 0x2a7f4cbf287c5963e2206d31c110709d Message-Authenticator = 0x3cee3f55cea92deefa2591caaea03633 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "xxxxxxxx", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 204 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group EAP {...} rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: Added pair State = 0x2a7f4cbf287c5963e2206d31c110709d rlm_perl: Added pair Calling-Station-Id = 02-00-00-00-00-01 rlm_perl: Added pair Message-Authenticator = 0x3cee3f55cea92deefa2591caaea03633 rlm_perl: Added pair User-Name = xxxxxxxx rlm_perl: Added pair EAP-Message = 0x020300cc1500160301008610000082008090fd20bda5d27eb2d4deee9e076d8f77a8b14a91f33c6620eb5a3896f8280acd0bbd5bb0da405e5b09a842867e6083d21ee749f7f0ba637c2dd89005b8b98bb354742b01d83c676aee9a014355fbeff4b546055a2e0c39fd5a43ddac2031b42f81902efe3f17199e8f8be74683d1b0e05f2f126d7650a084e2800d62f26ab50f1403010001011603010030ccdda6df2d462f7b0b12cc43b02ee696b4cde6befa312d4147968c9af09c1e95b3ee38f8bd2b2521d88f4ed09e2f6969 rlm_perl: Added pair Connect-Info = CONNECT 11Mbps 802.11b rlm_perl: Added pair EAP-Type = EAP-TTLS rlm_perl: Added pair NAS-IP-Address = 127.0.0.1 rlm_perl: Added pair Framed-MTU = 1400 rlm_perl: Added pair h323-credit-amount = 100 rlm_perl: Added pair Auth-Type = EAP ++[perl] returns ok [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange [ttls] TLS_accept: SSLv3 read client key exchange A [ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001] [ttls] <<< TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 read finished A [ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001] [ttls] TLS_accept: SSLv3 write change cipher spec A [ttls] >>> TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 write finished A [ttls] TLS_accept: SSLv3 flush data [ttls] (other): SSL negotiation finished successfully SSL Connection Established [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 3 to 127.0.0.1 port 45673 h323-credit-amount = "100" EAP-Message = 0x0104004515800000003b140301000101160301003044e95766bb9308bc45e92fa37e082e248aa382cb961ee973693c1e7c695c35e664de49304756c6e6430fe00e640ea5c4 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2a7f4cbf297b5963e2206d31c110709d Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 45673, id=4, length=394 User-Name = "xxxxxxxx" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020400e0150017030100207c1f492109c1413df90458ac8bc6e2a363b5f4ef4a1b6b8e7e722ce41b4ac2fa17030100b0d13c2711852a1deb05113832a62cce19b446645bda91d1e8cb46d1339a44896b5ea3eee06c87e3309539d37d19c3c3ffa1cf4f32273143254278ad1bfafca9aa36d7f01fef67759698d74aa1d4aacf8ed329a53e24196b1817b85710bec6030ab55b2c69ce39ea67d900e7d392948b935cac44d35fa78211a54d318e60f1653c05103fcf515aa61da4e66b4ae43b9d4db728d023a9fcd03d6d4fa2e315a78021974d7f8b6df36a6f75442e2f8fe33712 State = 0x2a7f4cbf297b5963e2206d31c110709d Message-Authenticator = 0x90ceee8718eb32ddcf5b3a9d56136a94 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "xxxxxxxx", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 224 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group EAP {...} rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: Added pair State = 0x2a7f4cbf297b5963e2206d31c110709d rlm_perl: Added pair Calling-Station-Id = 02-00-00-00-00-01 rlm_perl: Added pair Message-Authenticator = 0x90ceee8718eb32ddcf5b3a9d56136a94 rlm_perl: Added pair User-Name = xxxxxxxx rlm_perl: Added pair EAP-Message = 0x020400e0150017030100207c1f492109c1413df90458ac8bc6e2a363b5f4ef4a1b6b8e7e722ce41b4ac2fa17030100b0d13c2711852a1deb05113832a62cce19b446645bda91d1e8cb46d1339a44896b5ea3eee06c87e3309539d37d19c3c3ffa1cf4f32273143254278ad1bfafca9aa36d7f01fef67759698d74aa1d4aacf8ed329a53e24196b1817b85710bec6030ab55b2c69ce39ea67d900e7d392948b935cac44d35fa78211a54d318e60f1653c05103fcf515aa61da4e66b4ae43b9d4db728d023a9fcd03d6d4fa2e315a78021974d7f8b6df36a6f75442e2f8fe33712 rlm_perl: Added pair Connect-Info = CONNECT 11Mbps 802.11b rlm_perl: Added pair EAP-Type = EAP-TTLS rlm_perl: Added pair NAS-IP-Address = 127.0.0.1 rlm_perl: Added pair Framed-MTU = 1400 rlm_perl: Added pair h323-credit-amount = 100 rlm_perl: Added pair Auth-Type = EAP ++[perl] returns ok [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Got tunneled request User-Name = "xxxxxxxx" MS-CHAP-Challenge = 0x059b04af3b71d9387b15f96b14a7a4c2 MS-CHAP2-Response = 0x77005d91d477265941c389c2b9f9372a1a5000000000000000003459aea6d0b65a6173735fa334560fb0bb2190a33f9b3b88 FreeRADIUS-Proxied-To = 127.0.0.1 [ttls] Sending tunneled request User-Name = "xxxxxxxx" MS-CHAP-Challenge = 0x059b04af3b71d9387b15f96b14a7a4c2 MS-CHAP2-Response = 0x77005d91d477265941c389c2b9f9372a1a5000000000000000003459aea6d0b65a6173735fa334560fb0bb2190a33f9b3b88 FreeRADIUS-Proxied-To = 127.0.0.1 NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "02-00-00-00-00-01" Connect-Info = "CONNECT 11Mbps 802.11b" NAS-IP-Address = 127.0.0.1 Framed-MTU = 1400 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok [suffix] No '@' in User-Name = "xxxxxxxx", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: Added pair Calling-Station-Id = 02-00-00-00-00-01 rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1 rlm_perl: Added pair MS-CHAP-Challenge = 0x059b04af3b71d9387b15f96b14a7a4c2 rlm_perl: Added pair User-Name = xxxxxxxx rlm_perl: Added pair MS-CHAP2-Response = 0x77005d91d477265941c389c2b9f9372a1a5000000000000000003459aea6d0b65a6173735fa334560fb0bb2190a33f9b3b88 rlm_perl: Added pair Connect-Info = CONNECT 11Mbps 802.11b rlm_perl: Added pair NAS-IP-Address = 127.0.0.1 rlm_perl: Added pair Framed-MTU = 1400 rlm_perl: Added pair Auth-Type = MSCHAP rlm_perl: Added pair Proxy-To-Realm = LOCAL ++[perl] returns ok ++[files] returns noop [ldap] performing user authorization for xxxxxxxx [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> xxxxxxxx [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=xxxxxxxx) [ldap] expand: dc=example,dc=com -> dc=example,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=example,dc=com, with filter (uid=xxxxxxxx) [ldap] object not found [ldap] search failed [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns notfound ++[pap] returns noop Found Auth-Type = MSCHAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: xxxxxxxx [mschap] Told to do MS-CHAPv2 for xxxxxxxx with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. *[mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject Failed to authenticate the user. } # server inner-tunnel [ttls] Got tunneled reply code 3 MS-CHAP-Error = "wE=691 R=1" [ttls] Got tunneled Access-Reject [eap] Handler failed in EAP/ttls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user.* Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> xxxxxxxx attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 4 for 1 seconds Going to the next request Waking up in 0.2 seconds. Sending delayed reject for request 4 Sending Access-Reject of id 4 to 127.0.0.1 port 45673 EAP-Message = 0x04040004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. Cleaning up request 0 ID 0 with timestamp +2 Cleaning up request 1 ID 1 with timestamp +3 Cleaning up request 2 ID 2 with timestamp +3 Cleaning up request 3 ID 3 with timestamp +3 Waking up in 1.0 seconds. Cleaning up request 4 ID 4 with timestamp +3 Ready to process requests. Thanks and best regards, Nand.
Nandkumar Palkar wrote:
Hi Alan,
I'm facing the issue with configuration EAP-TTLS, LDAP and Perl and using test client as "eapol_test".
Please find the debug logs below:
You need to read it. It isn't hard. You highlighted in red the *wrong* piece. Look at the debug messages before that. Alan DeKok.
Hi Alan, My configuration details: 1. my configuration is - EAP, TTLS, LDAP, Perl 2. Sending "username + OTP" and "LDAP password" as input credentials 3. Virtual servers has: "Default" and "inner-tunnel" *Authorize:* preprocess chap mschap suffix eap { ok = return } perl files ldap pap *Authenticate:* Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } Auth-Type EAP{ perl eap } 4. Perl module is calling script "example.pl", in this "Authorize" section of script I'm separating username and OTP and sending OTP for validation. => Rusult = Succeed 5. LDAP uses username from perl module and goes for authentication => Result = Succeed 6. In Authentication section of Virtual servers: Perl module script "authentication section" sets original username i.e. "username + otp" again to "User-Name" attribute and then proceed for EAP auth-type. Auth-Type EAP{ perl eap } => *Result = Failed* Found Auth-Type = MSCHAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: user1vvtntkjkckvediucfvvrcneucuklvdecturjdjfkgnrg [mschap] Told to do MS-CHAPv2 for user1vvtntkjkckvediucfvvrcneucuklvdecturjdjfkgnrg with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject Failed to authenticate the user. Please help. Thanks and best regards, Nand. On Mon, Oct 15, 2012 at 8:01 PM, Alan DeKok <aland@deployingradius.com>wrote:
Nandkumar Palkar wrote:
Hi Alan,
I'm facing the issue with configuration EAP-TTLS, LDAP and Perl and using test client as "eapol_test".
Please find the debug logs below:
You need to read it. It isn't hard.
You highlighted in red the *wrong* piece. Look at the debug messages before that.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Regards, Nandkumar Palkar Mob: 9967024237
On 10/16/2012 08:09 AM, Nandkumar Palkar wrote:
Found Auth-Type = MSCHAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password.
MSCHAP requires you have the plaintext or NT hash. See here: http://deployingradius.com/documents/protocols/compatibility.html You cannot do MSCHAP unless you have these. More generally, your config looks horrible. I've got no idea what you are trying to accomplish, but whatever you're doing, mangling the username and trying to call two "auth" modules in "authenticate {}" is not right. Search the archives for info on how people have done OTP in FreeRADIUS.
participants (3)
-
Alan DeKok -
Nandkumar Palkar -
Phil Mayers