Re: freeradius-proxy + PAP works, PEAP and the rest doesn´t

Alan DeKok aland at deployingradius.com
Thu Jul 3 18:14:04 CEST 2008 

uni at christiankraus.de wrote:
>>> - External users should be able to login on WLAN via 802.1X with
>>> MSCHAPv2/PEAP in Windows XP.
> 
>>  That's relatively easy.  In 2.0, just install it, configure a
>> user/password (see the FAQ), start it in debug mode as root, and
>> un-check "validate server certificate" on the Windows box.
> 
> Well, this is already running with internal user. Those are correctly proxied to the local internal Radius Server.

  i.e. non-EAP users.

> Also they don´t have to uncheck the "validate server certificate" They can authenticate it against against an valid CA. There everything runs great. The problem exists with external customers that are proxied to another one.

  <sigh>  The suggestion to uncheck that box was for TESTING.  Not for
PRODUCTION use.

> Well I tried 2.0.5 first, then I switched to 1.1.7 just for testing. Both don´t work.

  Go read my message again.  The problem is NOT the proxy.  The problem
is the home server.  If you noticed, the proxy debug mode shows that the
HOME SERVER is rejecting the requests.  The proxy is simply at the mercy
of the HOME SERVER.

>>> Go fix the home server to do EAP.  If you can't make it do EAP, throw
>>> it away, and replace it with FreeRADIUS.
> 
> ... that Radius Server is an FreeRadius server. I called the administrator of it. And it is running great with all other Radius server within the rest of the "sharing WLAN access" community.

  That's nice.  Ask him why it's returning Access-Reject for your users.

> So, must be another error, I guess?

  The home server is rejecting the user.  No amount of playing games
with the proxy will fix the home server.  You could install 1.1.7,
2.0.5, Cisco ACS, Juniper's SBR, Radiator, or nearly any other RADIUS
server on the proxy and IT STILL WOULD NOT WORK.

  Go fix the home server so that it doesn't reject your users.  Yell at
it's admin, if necessary.

  Stop playing games with the proxy.  You're wasting your time.

  Alan DeKok.

More information about the Freeradius-Users mailing list