Sigh.
Don't set the Auth-Type AT ALL. The only legitimate uses are:
* setting it to Accept for PAP requests
* setting it to Reject
* setting it to the name of a specific instance where there are >1 of
the same type of auth module with different configs (e.g. 2 different
LDAPs or 2 different mschap)
The "eap" module will itself detect the request is eap and (assuming the
server is configured correctly, as it is by default) set the Auth-Type.
By forcing it manually, you are guaranteeing that certain authentication
configurations will fail.
and seems to issue the attributes (my cisco priv ones are there) ok. My
laptop still doesn't get an IP address, but this may now be an issue
with the AP.
Can I safely now say that freeradius is behaving correctly and the issue
is now with the AP, or does the above output still point to a freeradius
issue?
I don't know why you're returning:
Cisco-AVPair = "shell:priv-lvl=15"
Service-Type = Administrative-User
...to an access point EAP session; neither make any sense, and I
suppose could be mucking things up, but most likely the problem lies
with the supplicant rather than the AP. It may not like the SSL server
certificate, though from what I can see it's not getting that far. Is
the supplicant configured to do EAP-TLS?
It's apparent you've done a serious amount of fiddling with the default
configs. I suggest doing a default/clean install, and starting from the
most basic - a user in the "users" file:
username Cleartext-Password := "foobar"
Check if they can authenticate. Then setup the sql module, put the above
AND ONLY THE ABOVE entries in the database, and test again. Making once
change at a time will allow you to pin down the problem; at the moment,
there are lots of things it *could* be.