Yet another multiple SSID setup question

Fajar A. Nugraha list at
Fri Jul 15 03:15:08 CEST 2011

On Fri, Jul 15, 2011 at 7:13 AM, Nick Kartsioukas
<lists.freeradius at> wrote:
> Okay, I've gotten a bit further, but I'm still not grasping something in
> the process flow from authorization to authentication and EAP outer and
> inner methods.
> I'll paste relevant chunks of my authorize, authenticate, and eap config
> sections below.  The conditional switch statement is working properly
> and matching my SSID (I do have other statements there, I just chopped
> them out here for brevity), the LDAP lookup is working properly and
> granting me authorization, but when it goes to EAP to perform
> authentication it seems like it never gets to the inner MSCHAPv2 auth
> and eventually fails.
> ERROR: No authenticate method (Auth-Type) found for the request:
> Rejecting the user
> Failed to authenticate the user.
> Login incorrect: [nicholas_kartsioukas] (from client slo-wlc1 port 0 via
> TLS tunnel)
> } # server
> [peap] Got tunneled reply code 3
> [peap] Got tunneled reply RADIUS code 3
> [peap] Tunneled authentication was rejected.
> [peap] FAILURE
> I've attached the full debug log.  Hopefully someone can point me in the
> right direction?  Thanks!

I'd look at  these lines:

[ldap_parrotfish] performing search in ou=CUESTA,dc=cuesta,dc=org,
with filter (sAMAccountName=nicholas_kartsioukas)
[ldap_parrotfish] No default NMAS login sequence
[ldap_parrotfish] looking for check items in directory...
[ldap_parrotfish] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure
that the user is configured correctly?

Do you have cleartex-password somewhere in your LDAP schema?

If not, then MSCHAPv2 will NOT work. It MIGHT work with TTLS-PAP or
PEAP-GTC, but requires special setup (to force LDAP bind).

If yes, then check ldap.attrmap to ensure attribute mappings matched.


More information about the Freeradius-Users mailing list