2 things: 1) near the bottom of the debug output there is a line that's says you are passing the username as domain\user, and it asks if you have enabled the with NT domain hack option? Check your mschap module config to see if this is enabled, it is commented out by default. You can check the complete debug output that includes the server initializing and you can see it there IF it is enabled.
2) I gave up on PEAP/MSCHAPv2 on linux, EAP/TTLS works great for me with no other config tweaks after I got the windows clients working! If there is not a super important requirement to use the same authorization on both platforms you could do the same, just an idea. Jake Sallee Godfather Of Bandwidth Network Engineer Fone: 254-295-4658 Phax: 254-295-4221 -----Original Message----- From: freeradius-users-bounces+jake.sallee=umhb....@lists.freeradius.org [mailto:[email protected] rg] On Behalf Of snowman5840 Sent: Friday, October 22, 2010 11:58 AM To: [email protected] Subject: Re: LDAP authentication failed ok I found my problem. I have forgotten to add my domain in the proxy.conf, after I have done this ldap search works fine. but know I have one more problem with authentification. I want to use peap with mschap to support both windows und linux systems. But authentification fails. I don't know what i have to configure or where is the problem. I would be very happy about some hints. I'm sorry about the very long debug output.... rad_recv: Access-Request packet from host 192.168.0.2 port 1812, id=86, length=149 NAS-IP-Address = 192.168.0.2 NAS-Port = 50006 NAS-Port-Type = Ethernet User-Name = "FIRMA1\\usera" Called-Station-Id = "00-15-F9-D8-7C-C6" Calling-Station-Id = "00-1A-4B-63-69-0B" Service-Type = Framed-User Framed-MTU = 1500 State = 0x1558e554175bfc9edc831547521be2ad EAP-Message = 0x020300061900 Message-Authenticator = 0xfb650903c72222207e001d0385d8a036 +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.0.2/auth-detail-20101022 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.0.2/auth-detail-20101022 [auth_log] expand: %t -> Fri Oct 22 18:32:40 2010 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [ntdomain] Looking up realm "FIRMA1" for User-Name = "FIRMA1\usera" [ntdomain] Found realm "FIRMA1" [ntdomain] Adding Stripped-User-Name = "usera" [ntdomain] Adding Realm = "FIRMA1" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 86 to 192.168.0.2 port 1812 EAP-Message = 0x0104003619000f0b409c6f7dd2e83b8a1ad34c1b43c61b5cfa499e7822f081073040ea 4c9280acd2686fd194f216030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1558e554165cfc9edc831547521be2ad Finished request 9. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.2 port 1812, id=87, length=465 NAS-IP-Address = 192.168.0.2 NAS-Port = 50006 NAS-Port-Type = Ethernet User-Name = "FIRMA1\\usera" Called-Station-Id = "00-15-F9-D8-7C-C6" Calling-Station-Id = "00-1A-4B-63-69-0B" Service-Type = Framed-User Framed-MTU = 1500 State = 0x1558e554165cfc9edc831547521be2ad EAP-Message = 0x020401401980000001361603010106100001020100626313e9c274f169e9ed94821e91 d59e61578ab381c0e35788422b88b6e12b77d9551a970514289baaaf9c2ec3edb8ae126c 1c5b5f29d7883997fee2eee9f55a635005cb534cf7c708f0a0ec98dbda376e88b67de461 6926d9aa586737b2536998fad9c4648c8ce1e3b704415c4031063fc103bf0ddd1159d8b8 ef2c5c41332aca99428569333c19f8d539b1a01f232cdf9023030176aef9c9bcea758844 7853febc8b340da21d9b5af78d2d8b5b3acc0779e9f8d970f93471273749a0653a7e6611 ee11bfcabb019b34e3f54f5e1b693d89fe471eab29d8027641dfed05bfeeeca249fd3561 371c EAP-Message = 0xa736d666ebba66d8c0a368d306e0af12f71b43504cad85a61403010001011603010020 4c903a9993c942b403d46902c7564ea7f66787ca59a02e46fc08946a84aa509d Message-Authenticator = 0x67bf63ab1ed1abebb8161ae463114461 +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.0.2/auth-detail-20101022 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.0.2/auth-detail-20101022 [auth_log] expand: %t -> Fri Oct 22 18:32:40 2010 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [ntdomain] Looking up realm "FIRMA1" for User-Name = "FIRMA1\usera" [ntdomain] Found realm "FIRMA1" [ntdomain] Adding Stripped-User-Name = "usera" [ntdomain] Adding Realm = "FIRMA1" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 4 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 310 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 87 to 192.168.0.2 port 1812 EAP-Message = 0x0105003119001403010001011603010020f8490ec428507eb9225fb4fb3682dd9e465b 8988e2ad4c39c0e66520252de24e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1558e554115dfc9edc831547521be2ad Finished request 10. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.168.0.2 port 1812, id=88, length=149 NAS-IP-Address = 192.168.0.2 NAS-Port = 50006 NAS-Port-Type = Ethernet User-Name = "FIRMA1\\usera" Called-Station-Id = "00-15-F9-D8-7C-C6" Calling-Station-Id = "00-1A-4B-63-69-0B" Service-Type = Framed-User Framed-MTU = 1500 State = 0x1558e554115dfc9edc831547521be2ad EAP-Message = 0x020500061900 Message-Authenticator = 0x6c4b11714b857cd0281b682e13c4d900 +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.0.2/auth-detail-20101022 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.0.2/auth-detail-20101022 [auth_log] expand: %t -> Fri Oct 22 18:32:40 2010 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [ntdomain] Looking up realm "FIRMA1" for User-Name = "FIRMA1\usera" [ntdomain] Found realm "FIRMA1" [ntdomain] Adding Stripped-User-Name = "usera" [ntdomain] Adding Realm = "FIRMA1" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 88 to 192.168.0.2 port 1812 EAP-Message = 0x0106002019001703010015f5a3ae52506203eb77289c53fadddc8aced654bcc9 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1558e554105efc9edc831547521be2ad Finished request 11. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 192.168.0.2 port 1812, id=89, length=186 NAS-IP-Address = 192.168.0.2 NAS-Port = 50006 NAS-Port-Type = Ethernet User-Name = "FIRMA1\\usera" Called-Station-Id = "00-15-F9-D8-7C-C6" Calling-Station-Id = "00-1A-4B-63-69-0B" Service-Type = Framed-User Framed-MTU = 1500 State = 0x1558e554105efc9edc831547521be2ad EAP-Message = 0x0206002b19001703010020a6ad92351444936d3c1868fea4cce44c06a598df0d5fa027 e4123c6c3daf8f5b Message-Authenticator = 0x66c1321b7a94107cc7e7d22f05c2fbf3 +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.0.2/auth-detail-20101022 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.0.2/auth-detail-20101022 [auth_log] expand: %t -> Fri Oct 22 18:32:41 2010 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [ntdomain] Looking up realm "FIRMA1" for User-Name = "FIRMA1\usera" [ntdomain] Found realm "FIRMA1" [ntdomain] Adding Stripped-User-Name = "usera" [ntdomain] Adding Realm = "FIRMA1" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 6 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Identity - FIRMA1\usera [peap] Got tunneled request EAP-Message = 0x02060014014649524d41315c626c657273636861 server { PEAP: Got tunneled identity of FIRMA1\usera PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to FIRMA1\usera Sending tunneled request EAP-Message = 0x02060014014649524d41315c626c657273636861 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "FIRMA1\\usera" server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [ntdomain] Looking up realm "FIRMA1" for User-Name = "FIRMA1\usera" [ntdomain] Found realm "FIRMA1" [ntdomain] Adding Stripped-User-Name = "usera" [ntdomain] Adding Realm = "FIRMA1" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok ++[control] returns ok [eap] EAP packet type response id 6 length 20 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for usera [ldap] expand: %{Stripped-User-Name} -> usera [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=usera) [ldap] expand: dc=firma1,dc=de -> dc=firma1,dc=de [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=firma1,dc=de, with filter (uid=usera) [ldap] Added User-Password = {SSHA}WNtfzJKztV/VYNqJAew//EpfaqFTTmRY in check items [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] sambaNtPassword -> NT-Password == 0x3043423639343838303546373937424632413832383037393733423839353337 [ldap] sambaLmPassword -> LM-Password == 0x3031464335413642453742433639323941414433423433354235313430344545 [ldap] looking for reply items in directory... [ldap] user usera authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!! +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010700291a0107002410c823f451f29e4818ccd3f0be9f3650634649524d41315c626c 657273636861 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb5046181b5037b4806fda72c76d930a8 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010700291a0107002410c823f451f29e4818ccd3f0be9f3650634649524d41315c626c 657273636861 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb5046181b5037b4806fda72c76d930a8 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 89 to 192.168.0.2 port 1812 EAP-Message = 0x0107004019001703010035c52325a3ae3a7f6bd4de688fbfef456c0fc3bd0b986af49a bfb022fb9ba5a7b92058dc051da50ecf7b3ef7c4eaad3cbd6e99f65e78 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1558e554135ffc9edc831547521be2ad Finished request 12. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 192.168.0.2 port 1812, id=90, length=240 NAS-IP-Address = 192.168.0.2 NAS-Port = 50006 NAS-Port-Type = Ethernet User-Name = "FIRMA1\\usera" Called-Station-Id = "00-15-F9-D8-7C-C6" Calling-Station-Id = "00-1A-4B-63-69-0B" Service-Type = Framed-User Framed-MTU = 1500 State = 0x1558e554135ffc9edc831547521be2ad EAP-Message = 0x0207006119001703010056c97cf317a157bd52798bc228692340b159bf37c206e5a659 f93993bfcff9077f69ae0747ad07c868de4fb65a6a1ab6a0212c883f47be656fca32ee3b 02a4e6d0c197f4ed72c68d497e8872ad262de7fb1b7737c21234 Message-Authenticator = 0x0aacaddadb8a501835ed2f2cd9df836c +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.0.2/auth-detail-20101022 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.0.2/auth-detail-20101022 [auth_log] expand: %t -> Fri Oct 22 18:32:41 2010 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [ntdomain] Looking up realm "FIRMA1" for User-Name = "FIRMA1\usera" [ntdomain] Found realm "FIRMA1" [ntdomain] Adding Stripped-User-Name = "usera" [ntdomain] Adding Realm = "FIRMA1" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 7 length 97 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x0207004a1a0207004531465311ebc4ad0d394e81e0d169961d1100000000000000001c 75cd6fd76bac69737473ecbe0df750a88714f72a4bc71a004649524d41315c626c657273 636861 server { PEAP: Setting User-Name to FIRMA1\usera Sending tunneled request EAP-Message = 0x0207004a1a0207004531465311ebc4ad0d394e81e0d169961d1100000000000000001c 75cd6fd76bac69737473ecbe0df750a88714f72a4bc71a004649524d41315c626c657273 636861 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "FIRMA1\\usera" State = 0xb5046181b5037b4806fda72c76d930a8 server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [ntdomain] Looking up realm "FIRMA1" for User-Name = "FIRMA1\usera" [ntdomain] Found realm "FIRMA1" [ntdomain] Adding Stripped-User-Name = "usera" [ntdomain] Adding Realm = "FIRMA1" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok ++[control] returns ok [eap] EAP packet type response id 7 length 74 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for usera [ldap] expand: %{Stripped-User-Name} -> usera [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=usera) [ldap] expand: dc=firma1,dc=de -> dc=firma1,dc=de [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=firma1,dc=de, with filter (uid=usera) [ldap] Added User-Password = {SSHA}WNtfzJKztV/VYNqJAew//EpfaqFTTmRY in check items [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] sambaNtPassword -> NT-Password == 0x3043423639343838303546373937424632413832383037393733423839353337 [ldap] sambaLmPassword -> LM-Password == 0x3031464335413642453742433639323941414433423433354235313430344545 [ldap] looking for reply items in directory... [ldap] user usera authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!! +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] Found LM-Password [mschap] Found NT-Password [mschap] NT Domain delimeter found, should we have enabled with_ntdomain_hack? [mschap] Told to do MS-CHAPv2 for FIRMA1\usera with NT-Password [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. Login incorrect: [usera/<via Auth-Type = EAP>] (from client TESTSW01 port 0 via TLS tunnel) } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\007E=691 R=1" EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\007E=691 R=1" EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 90 to 192.168.0.2 port 1812 EAP-Message = 0x010800261900170301001be755b066be3f16eb4a1f8d7d3f54bf6333dc8a1865a7ef9d c1d31c Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1558e5541250fc9edc831547521be2ad Finished request 13. Going to the next request Waking up in 4.6 seconds. rad_recv: Access-Request packet from host 192.168.0.2 port 1812, id=91, length=181 NAS-IP-Address = 192.168.0.2 NAS-Port = 50006 NAS-Port-Type = Ethernet User-Name = "FIRMA1\\usera" Called-Station-Id = "00-15-F9-D8-7C-C6" Calling-Station-Id = "00-1A-4B-63-69-0B" Service-Type = Framed-User Framed-MTU = 1500 State = 0x1558e5541250fc9edc831547521be2ad EAP-Message = 0x020800261900170301001bd0e5d1e8905737296a8cc3e900996439f0cf0a79a1254ecc 7514a1 Message-Authenticator = 0xac386bf0ee6044841d403e1ac7a8dea3 +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.0.2/auth-detail-20101022 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.0.2/auth-detail-20101022 [auth_log] expand: %t -> Fri Oct 22 18:32:41 2010 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [ntdomain] Looking up realm "FIRMA1" for User-Name = "FIRMA1\usera" [ntdomain] Found realm "FIRMA1" [ntdomain] Adding Stripped-User-Name = "usera" [ntdomain] Adding Realm = "FIRMA1" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 8 length 38 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Had sent TLV failure. User was rejected earlier in this session. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [usera/<via Auth-Type = EAP>] (from client TESTSW01 port 50006 cli 00-1A-4B-63-69-0B) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> FIRMA1\usera attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 14 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 14 Sending Access-Reject of id 91 to 192.168.0.2 port 1812 EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 -- View this message in context: http://freeradius.1045715.n5.nabble.com/LDAP-authentication-failed-tp321 7861p3232594.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

