Skip to content

Troubleshooting

This section covers common problems seen in eduroam deployments and day-to-day operations.

Common User Issues

Repeated password prompts

Typical causes:

  • incorrect username format, for example missing @realm
  • expired or changed password
  • stale device profile
  • server certificate not trusted

Recommended actions:

  • confirm the username is in the format user@institution.ac.ke
  • remove the old eduroam profile and install a fresh profile
  • use eduroam CAT where available
  • verify date and time on the device

Certificate warning during connection

Users must not ignore certificate warnings. A warning usually means:

  • the device was not configured with the correct trust settings
  • the institution changed its RADIUS server certificate
  • the user connected to a misconfigured or rogue network

If certificate validation fails, reconnect only after installing the correct profile or confirming the expected server name and CA.

Connected but no Internet access

Check:

  • DHCP scope availability
  • user VLAN assignment
  • firewall policy
  • DNS reachability
  • AP/controller policy for the eduroam SSID

FreeRADIUS Troubleshooting

Run in debug mode

Use debug mode when validating configuration changes:

systemctl stop freeradius
freeradius -X

For packaged FreeRADIUS 3.x on some platforms, radiusd -X is equivalent.

Debug mode shows:

  • incoming requests
  • realm matching and proxy decisions
  • EAP state machine details
  • LDAP, SQL, and policy processing
  • accept or reject reasons

Validate configuration before restart

freeradius -XC

Use this after editing virtual servers, modules, clients, realms, or policy files.

Test local authentication

Simple PAP test against a local user or backend:

radtest user@institution.ac.ke 'test-password' 127.0.0.1 0 testing123

Use eapol_test for realistic 802.1X/EAP testing where available.

SP-Side Problems

Requests not leaving the SP

Check:

  • clients.conf entries for APs/controllers
  • source IP and shared secret
  • firewall rules permitting UDP 1812 and 1813
  • realm proxy configuration
  • home server reachability

Requests proxied but no reply received

Check:

  • upstream federation IPs and shared secrets
  • NAT or firewall state expiry
  • duplicate or incorrect home server definitions
  • packet filtering between SP and federation servers

Users authenticate but land in the wrong VLAN

Check:

  • whether the AP/controller honors standard tunnel attributes
  • authorization policy order in sites-enabled/default
  • group lookup results in LDAP or SQL
  • controller-side VLAN mapping and role policy

Expected RADIUS attributes usually include:

Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-Id = "20"

IdP-Side Problems

Inner authentication fails

Check:

  • PEAP or TTLS inner method configuration
  • LDAP bind account and search filter
  • Active Directory group policy restrictions
  • password expiry or account lockout

Realm is not routed correctly

Check:

  • local realm definitions
  • nostrip versus strip behavior
  • federation registration for the institution realm
  • whether the user is typing the correct realm

Check:

  • certificate chain completeness
  • server name matching
  • expiration dates
  • EKU and KU fields
  • whether the issuing CA is distributed to clients

Logging and Monitoring

Useful locations vary by distribution, but common paths include:

  • /var/log/freeradius/radius.log
  • /var/log/freeradius/radacct/
  • journalctl -u freeradius

Monitor at least:

  • authentication success and failure rate
  • proxy latency
  • certificate expiry
  • AP/controller RADIUS timeout rate
  • accounting volume and SQL write failures