Auth: Login incorrect: [maxx09/<no User-Password attribute>]

Alan DeKok aland at
Sun Mar 22 20:55:15 CET 2020

On Mar 22, 2020, at 1:07 PM, Sam T <givemesam at> wrote:
> What you are trying to do: Get radius to work with mikrotik ikev2
> authorization / client has self signed CA cert, Server has signed server +
> CA cert
>   - why you are trying to do it: to add ikev2 radius auth while also
>   supporting wifi authorization (which is working great)
>   - what you expect the server to do: to accept user pass from mikrotik,
>   and provide authorization reply w/ radreply attributes
>   - what the server does instead (i.e. debug output). see output
> (my previous submission ran freeradius -X on top of a running server, this
> time i followed the instructions, here is 1 clean process of the ikev2
> request)
> rad_recv: Access-Request packet from host port 40641, id=66,
> length=143
> User-Name = "maxx09"
> Called-Station-Id = "444.555.666.777"
> Calling-Station-Id = "222.333.444.555"
> NAS-Port-Id = "\000\000\000\r"
> NAS-Port-Type = Virtual
> Service-Type = Framed-User
> Event-Timestamp = "Mar 22 2020 16:54:39 UTC"
> Framed-MTU = 1400
> EAP-Message = 0x0200000b016d6178783039

  It's EAP, which means that there is likely no User-Password *ever* in the request.

> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> !!!    Replacing User-Password in config items with Cleartext-Password.
> !!!
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> !!! Please update your configuration so that the "known good"
> !!!
> !!! clear text password is in Cleartext-Password, and not in User-Password.
> !!!

  Please follow that advice.  The "known good" password should be in Cleartext-Password.  Putting it into User-Password has been deprecated for 15+ years.

> Cannot perform authentication.
> Failed to authenticate the user.

  Because the user is doing EAP, and you deleted the "eap" module from the "authorize" section.

  The default configuration works.  Start with that, and make small changes, in order to get what you want.

  If you delete massive amounts of things from the default configuration, you are very likely to break something.  As has been done here.

  The EAP module does EAP authentication.  You MUST configure the EAP module in order for this to work.

  Alan DeKok.

More information about the Freeradius-Users mailing list