=?UTF-8?Q?freeradius-proxy_+_PAP_works, _PEAP_and_the_rest_doesn=C2=B4t?=
uni at christiankraus.de
uni at christiankraus.de
Thu Jul 3 18:04:30 CEST 2008
>> - External users should be able to login on WLAN via 802.1X with
>> MSCHAPv2/PEAP in Windows XP.
> That's relatively easy. In 2.0, just install it, configure a
>user/password (see the FAQ), start it in debug mode as root, and
>un-check "validate server certificate" on the Windows box.
Well, this is already running with internal user. Those are correctly proxied to the local internal Radius Server.
Also they don´t have to uncheck the "validate server certificate" They can authenticate it against against an valid CA. There everything runs great. The problem exists with external customers that are proxied to another one.
>> When using local radtest to verify the user, everything looks okay. >>But as
>> soon I take a windows client, properly configured, or the >>radeapclient, it
>> doesn´t work.
>>
>> Here is the output from radius -X.
>> It is 1.1.7, but the same errors occur on version 2.0.5:
>Don't run 1.1.7. Honest.
Well I tried 2.0.5 first, then I switched to 1.1.7 just for testing. Both don´t work.
>> #/This message appears about 2000+ times
>><shrug> It's 1.1.7.
Well, the output from radius -X had 17,5MB of size...
>> rad_recv: Access-Reject packet from host 139.212.22.110:1812, id=1,
>> length=40
>> Reply-Message = "Request Denied"
>> Proxy-State = 0x3931
>So... the home server is rejecting the user.
>Have you run the home server in debug mode to see what it's doing, and
>why it's rejecting the request? If not, why not? Is it even >FreeRADIUS?
Well, I do not have any influence on that home server on my own. But...
>>My guess is that the home server cannot do EAP. If so, why are you
>>"going crazy with freeradius"? You're blaming the proxy for the >>actionsof the home server.
...
>>Go fix the home server to do EAP. If you can't make it do EAP, throw
>>it away, and replace it with FreeRADIUS.
... that Radius Server is an FreeRadius server. I called the administrator of it. And it is running great with all other Radius server within the rest of the "sharing WLAN access" community.
It is in fact running now for years.
So, must be another error, I guess?
More information about the Freeradius-Users
mailing list