Your RADIUS reject, explained in plain English
Paste radiusd -X debug output or a Windows NPS event and get
back what actually failed β the failure stage, the three most likely
causes ranked, and one concrete next check for each. No account, no
upload, no waiting.
Analyze a log now Browse common errors
How it works
radiusd -X output or an NPS event 6273/6274
copied as text from Event Viewer.
Built from real tickets
The diagnosis rules encode years of vendor-side RADIUS support pattern-matching: the same handful of failures β wrong shared secrets, untrusted certificates, MSCHAPv2 vs password-hash mismatches, policies that never match β cause the vast majority of 802.1X outages. The rules are open source and reviewable, and the CLI runs the exact same ones.
Common failures, explained
- FreeRADIUS 'certificate expired' TLS alert β server cert, client cert, or a wrong clock
Diagnosing expired-certificate failures in radiusd -X: everyone failing at once means the server certificate; one device means a client cert or its clock. Commands to check both.
- FreeRADIUS 'Ignoring request from unknown client' β why the NAS times out instead of failing
What it means when radiusd -X shows 'Ignoring request to auth address from unknown client': the missing clients.conf entry, multi-homed NAS source IPs, and why the client side only sees timeouts.
- FreeRADIUS 'invalid Message-Authenticator! (Shared secret is incorrect.)' explained
Why FreeRADIUS drops packets with an invalid Message-Authenticator, how to find which clients.conf entry is actually being used, and the NAT trap that keeps this error alive after you've fixed the secret.
- FreeRADIUS 'Login incorrect' β how to read radiusd -X to find the real reason
'Login incorrect' is the summary line, not the diagnosis. How to walk a FreeRADIUS debug log backwards from the reject to the module that actually failed, with the patterns to grep for.
- FreeRADIUS 'MS-CHAP2-Response is incorrect' β wrong password, or a password your backend can't check
What the mschap FAILED error in radiusd -X really means: the TLS tunnel is fine, and the inner MSCHAPv2 check failed β because of the password, the stored hash format, or the AD account state.
- FreeRADIUS 'No known good password' β the server has nothing to check against
What 'Failed to find known good password' in radiusd -X means: no authorize module supplied a password, the stored hash is incompatible with the auth method, or the lookup silently missed.
- FreeRADIUS 'TLS Alert read:fatal:unknown CA' β the client doesn't trust your server cert
What the unknown CA alert in radiusd -X debug output means, why the client (not the server) is rejecting the handshake, and the three trust problems that cause it.
- FreeRADIUS EAP stalls mid-handshake β 'Discarding duplicate request' and the fragment-size fix
Why 802.1X authentications hang partway through the TLS handshake: oversized RADIUS packets carrying certificate fragments get dropped, the NAS retransmits, and the client never answers. Diagnosis and the fragment_size fix.
- FreeRADIUS rlm_ldap bind failures β admin bind vs user bind, and which one broke
Troubleshooting 'LDAP bind failed' errors in FreeRADIUS: wrong bind DN credentials, LDAPS/StartTLS certificate trust, unreachable directory, and the difference between the service bind and per-user authentication binds.
- FreeRADIUS TLS handshake failures with old devices β tls_min_version and legacy supplicants
Diagnosing generic TLS handshake failures in radiusd -X: printers and embedded devices stuck on TLS 1.0/1.1 against servers enforcing TLS 1.2+, cipher mismatches, and users cancelling trust prompts.
- Migrating from PEAP-MSCHAPv2 to EAP-TLS without breaking Wi-Fi for a week
A staged migration plan from password-based PEAP to certificate-based EAP-TLS: why NTLM hardening is forcing the move, the dual-policy transition pattern, and the reason codes you'll see when a device is mid-migration.
- NPS Event 6273 Reason Code 16 explained β and why it's often not the password
What 'Authentication failed due to a user credentials mismatch' actually means in Windows NPS, the three causes that produce it, and the exact fields in the event that tell you which one you have.
- NPS Event 6273 Reason Code 22 β 'EAP type cannot be processed' (check the server cert first)
Why NPS rejects clients with 'the EAP type cannot be processed by the server' β expired NPS certificates, PEAP vs EAP-TLS mismatches, and corrupted EAP policy config.
- NPS Event 6273 Reason Code 23 β 'an error occurred during EAP' means your NPS certificate
Decoding NPS Reason Code 23: why 'check EAP log files' almost always means the NPS server's own certificate is expired, missing its private key, or failing revocation checks.
- NPS Event 6273 Reason Code 262 β 'the signature was not verified' means shared secret
Why 'The supplied message is incomplete. The signature was not verified' in Windows NPS is a shared secret mismatch, and how to find which RADIUS client entry is at fault.
- NPS Event 6273 Reason Code 36 β account locked out (usually by the Wi-Fi itself)
Why NPS rejects with 'the account is locked out', how a stale cached Wi-Fi password causes the lockout loop, and the neighboring reason codes 34, 35, 37, 38 for disabled/expired accounts.
- NPS Event 6273 Reason Code 48 β no network policy matched (group and port-type traps)
Why 'The connection request did not match any configured network policy' happens even when the user and password are right: group scoping, computer vs user objects, NAS Port Type conditions, and policy ordering.
- NPS Event 6273 Reason Code 49 β no connection request policy matched
What it means when a RADIUS request fails to match any NPS connection request policy: deleted default CRPs, day/time and NAS conditions, and proxy realm rules.
- NPS Event 6273 Reason Code 65 β denied by the account's dial-in 'Network Access Permission'
Why one user gets rejected by NPS while everyone else connects: the AD account's Dial-in tab set to Deny access, the msNPAllowDialin attribute, and the policy checkbox that overrides it.
- NPS Event 6273 Reason Code 66 β auth method not enabled on the matching policy
Decoding 'the user attempted to use an authentication method that is not enabled on the matching network policy': EAP mismatches mid-migration, non-EAP fallbacks, and requests matching the wrong policy.
- NPS Event 6273 Reason Code 7 β 'the specified domain does not exist'
Why NPS says the domain does not exist: usernames with the wrong realm, personal email addresses typed as identities, NetBIOS vs DNS domain names, and DC locator failures.
- NPS Event 6273 Reason Code 8 β 'the user account does not exist' (but it does)
Why Windows NPS says the specified user account does not exist even when you can see it in AD: username format mismatches, host/ machine identities, and cross-domain lookups.
- NPS Event 6274 β 'discarded the request' is not a reject (and why that matters)
The difference between NPS event 6273 (denied) and 6274 (discarded), and the causes of discards: unverifiable packets, malformed requests, and accounting problems.
- NPS Reason Code 48 vs 49 β which policy layer rejected you, and why it matters
The two 'no policy matched' rejects in Windows NPS compared: connection request policies vs network policies, how to tell them apart in seconds, and which console tab to open for each.
- RADIUS server not responding / timing out β the silent failures, in order of likelihood
When the NAS reports RADIUS timeouts instead of rejects: silent drops from unknown clients and bad secrets, dropped UDP fragments mid-EAP, dead services, and firewalled or wrong ports β with the checks for each.