802.1X - ldap AND users file

Cedric Delaunay cedric.delaunay at insa-rennes.fr
Fri Apr 10 11:50:46 UTC 2026 

Hello, 
Unfortunately, I tried your proposals this morning with non success : 
I've got this error during last challenge : 

# prise en compte du compte myuser 
myuser Auth-Type := Accept 
Tunnel-Type = VLAN, 
Tunnel-Medium-Type = IEEE-802, 
#Tunnel-Private-Group-ID = "407", 
Tmp-String-1 = "407" 

innertunnel 
authorize { 
.... 
# 
#  Read the 'users' file 
files 
if (&request:User-Name == "myuser") { 
update { 
#        &Cleartext-Password = &request:User-Name 
&control:SMB-Account-CTRL-TEXT := '[N]' 
&reply:MS-CHAP2-Success = 'password-free' 
} 
} 
.... 


rlm_ldap (ldap): Reserved connection (0) 
(10) ldap: EXPAND (uid=%{mschap:User-Name}) 
(10) ldap:    --> (uid=anonymous) 
(10) ldap: Performing search in "dc=insa-rennes,dc=fr" with filter "(uid=anonymous)", scope "sub" 
(10) ldap: Waiting for search result... 
(10) ldap: Search returned no results 
rlm_ldap (ldap): Released connection (0) 
(10)     [ldap] = notfound 
(10)     [expiration] = noop 
(10)     [logintime] = noop 
(10)     [pap] = noop 
(10)   } # authorize = ok 
(10) Found Auth-Type = eap 
(10) # Executing group from file /etc/freeradius/sites-enabled/default 
(10)   authenticate { 
(10) eap: Removing EAP session with state 0xf1f3b91af8dda0ab 
(10) eap: Previous EAP request found for state 0xf1f3b91af8dda0ab, released from the list 
(10) eap: Peer sent packet with method EAP PEAP (25) 
(10) eap: Calling submodule eap_peap to process data 
(10) eap_peap: (TLS) EAP Done initial handshake 
(10) eap_peap: Session established.  Decoding tunneled attributes 
(10) eap_peap: PEAP state send tlv success 
(10) eap_peap: Received EAP-TLV response 
(10) eap_peap: Client rejected our response.  The password is probably incorrect 
(10) eap_peap: ERROR: We sent a success, but the client did not agree 
(10) eap: ERROR: Failed continuing EAP PEAP (25) session.  EAP sub-module failed 
(10) eap: Sending EAP Failure (code 4) ID 46 length 4 
(10) eap: Failed in EAP select 
(10)     [eap] = invalid 
(10)   } # authenticate = invalid 
(10) Failed to authenticate the user 
(10) Using Post-Auth-Type Reject 
(10) # Executing group from file /etc/freeradius/sites-enabled/default 
(10)   Post-Auth-Type REJECT { 

That's what Brian expected :( => server is ok but client don't 
Any other way to reach my goal ? 
Thanks 
-- 
Cédric Delaunay 
Equipe Infrastructures / Direction du Système d'Information 
RSSI Suppléant 
Tél. : +33 (0)2 23 23 8568 
INSA Rennes 
20 avenue des Buttes de Coësmes 
CS 70839 - 35 708 RENNES Cedex 7 


De: "Cedric Delaunay" <cedric.delaunay at insa-rennes.fr> 
À: "freeradius-users" <freeradius-users at lists.freeradius.org> 
Envoyé: Jeudi 2 Avril 2026 21:41:09 
Objet: Re: 802.1X - ldap AND users file 

Hello, 
Thanks for your answers, I will look at this as soon as possible 
Cédric 

-- 
Cédric Delaunay 
Equipe Infrastructures / Direction du Système d'Information 
RSSI Suppléant 
Tél. : +33 (0)2 23 23 8568 
INSA Rennes 
20 avenue des Buttes de Coësmes 
CS 70839 - 35 708 RENNES Cedex 7 


De: "Cedric Delaunay" <cedric.delaunay at insa-rennes.fr> 
À: freeradius-users at lists.freeradius.org 
Envoyé: Mercredi 1 Avril 2026 17:22:58 
Objet: 802.1X - ldap AND users file 

Hello List, 
Network Wired Project running here. 
Devices users authenticate successfully using peap/mschapV2 and ldap backend 
outer identity is configured as anonymous 

I'd like to find how to force "accept" for a special user, based on "mods-config/files/authorize" file 
- user is logged-in on device so that is real username is kown only by inner-tunnel 
- user isn't known by ldap (that's why I try with "users" file) 
- user's password may change so that I don't want to check it 

"users" entry looks like : 
myuser Auth-Type := Accept 
Tunnel-Type = VLAN, 
Tunnel-Medium-Type = IEEE-802, 
#Tunnel-Private-Group-ID = "407", 
Tmp-String-1 = "407" 

Tmp-String-1 is used by default/post-auth section as it : 
update reply { 
Tunnel-Private-Group-Id := "%{reply:Tmp-String-1}" 
} 

files module is enabled in inner tunnel/authorize 

My problem : 
I cant see "accept" during inner-tunnel (after authorize file module) 
(9) files: users: Matched entry myuser at line 99 
(9) [files] = ok 
(9) } # authorize = ok 
(9) Found Auth-Type = Accept 
(9) Auth-Type = Accept, accepting the user 
(9) # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel 

but next challenge says 

(10) eap_peap: ERROR: We sent a success, but the client did not agree 
(10) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed 

Il don't know what is the best way to achieve this. 
Any idea ? 
Thanks 


-- : 

Cédric Delaunay 
Service Infrastructure Systèmes et Réseaux / Direction du Système d'Information 
Admin Réseau / RSSI Suppléant 
Tel. : +33 (0)2 23 23 8568 
INSA Rennes 
20 avenue des Buttes de Coêsmes 
CS 70839 - 35 708 RENNES Cedex 7 
[ http://www.insa-rennes.fr/ | www.insa-rennes.fr ]

More information about the Freeradius-Users mailing list