Need help with EAP-MSCHAPv2 config

Alan DeKok aland at
Tue Feb 11 02:40:17 CET 2020

On Feb 10, 2020, at 8:31 PM, Yongqiang He <thehyq at> wrote:
> Here is full output with error connecting from the real client.

  As I suggested, there's no call to the "sql" module when the client is doing EAP-MSCHAPv2.

> (12) eap: No EAP Start, assuming it's an on-going EAP conversation
> (12)     [eap] = updated
> (12)   } # authorize = updated

  It stops here...

  When the server receives just MS-CHAPv2, we see:

> (13)     [eap] = noop
> (13)     [files] = noop
> (13) sql: EXPAND %{User-Name}
> (13) sql:    --> testing

  See?  It calls "files" and "sql" after "eap".

  You'll have to edit the "default" virtual server:

	#  The "updated" check is commented out for compatibility with
	#  previous versions of this configuration, but you may wish to
	#  uncomment it as well; this will further reduce the number of
	#  LDAP and/or SQL queries for TTLS or PEAP.
	eap {
		ok = return
#		updated = return

  The above lines are in the default configuration.  They work.  You uncommented the "updated = return" line, which broke EAP-MSCHAPv2.

  Comment out that line again.  Return it to the default configuration, and it will work.

  Alan DeKok.

More information about the Freeradius-Users mailing list