Freeradius doesn't detect EAP when authenticating against MySQL

Andrew Rowson freeradius at growse.com
Mon Sep 17 20:10:17 CEST 2007 


Phil Mayers wrote:
> Sigh.
> 
> Don't set the Auth-Type AT ALL. The only legitimate uses are:
> 
>  * setting it to Accept for PAP requests
>  * setting it to Reject
>  * setting it to the name of a specific instance where there are >1 of
> the same type of auth module with different configs (e.g. 2 different
> LDAPs or 2 different mschap)
> 
> The "eap" module will itself detect the request is eap and (assuming the
> server is configured correctly, as it is by default) set the Auth-Type.
> By forcing it manually, you are guaranteeing that certain authentication
> configurations will fail.

I know all this now, I didn't before. I set this server up a while back 
to handle my cisco device logins, I can't remember why I'd put that in 
radgroupcheck. It's not removed.

>> and seems to issue the attributes (my cisco priv ones are there) ok. My 
>> laptop still doesn't get an IP address, but this may now be an issue 
>> with the AP.
>>
>> Can I safely now say that freeradius is behaving correctly and the issue 
>> is now with the AP, or does the above output still point to a freeradius 
>> issue?
> 
> I don't know why you're returning:
> 
> Cisco-AVPair = "shell:priv-lvl=15"
> Service-Type = Administrative-User
> 
> ...to an access point EAP session; neither make any sense, and I
> suppose could be mucking things up, but most likely the problem lies
> with the supplicant rather than the AP. It may not like the SSL server
> certificate, though from what I can see it's not getting that far. Is
> the supplicant configured to do EAP-TLS?

I'm returning these because, as above, I want to use the same 
credentials as those that I use for logging into my cisco routers, and I 
want to pass those attributes when I log into a router. It's true they 
could be confusing things for the AP, but is there a way to not return 
them when the auth type is detected as EAP? Or do I have to use a 
completely different set of credentials?

> It's apparent you've done a serious amount of fiddling with the default
> configs. I suggest doing a default/clean install, and starting from the
> most basic - a user in the "users" file:
> 
> username	Cleartext-Password := "foobar"
> 
> Check if they can authenticate. Then setup the sql module, put the above
> AND ONLY THE ABOVE entries in the database, and test again. Making once
> change at a time will allow you to pin down the problem; at the moment,
> there are lots of things it *could* be.

I will do this.

> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list