FreeRadius going through ISA to reach federation
Phil Mayers
p.mayers at imperial.ac.uk
Sat Dec 17 11:51:42 CET 2011
On 12/16/2011 09:20 PM, Rui Ribeiro wrote:
>> Eh? Who suggested that?
> Another freeradius<->IAS thread in this list.
Well, it's not a very useful suggestion in this instance. Setting
Reply-Message won't magically make something work. Perhaps the original
thread had some context that explains why the person thought it was
useful at that juncture.
>
>>
>>>
>>> Despite all the efforts, when talking with the IAS, I receive back
>>> the error
>>> Proxy-State = 0x3137.
>>
>> That's not an error; it's just a radius attribute.
>>
> In the debug logs, I have:
> ad_recv: Access-Reject packet from host 10.10.66.18 port 1812, id=251,
> length=24
> Proxy-State = 0x3137
>
Yes, I know. What I'm trying to tell you is that "Proxy-State" is just a
radius attribute related to proxying. It would be present in any packet,
accept, challenge or reject, from the upstream server.
Ignore the Proxy-State. What matters is that the "code" is
Access-Reject. The upstream server either rejected the packet itself, or
forwarded a reject from the wider eduroam proxy hierarchy.
>
>>>
>>> Any advice?
>>
>> You will need to debug this on the IAS server, since it is sending (or
>> proxying) the reject. My guess is the policies in IAS are wrong.
>>
>>
> Tried to see the IAS logs, they didn't much sense. Will have a look at
> system events.
Which version of "IAS" is this? i.e. which version of windows are you on?
If you're on NPS (Win2k8 or Win2k8R2) then event viewer is where all the
useful stuff is.
Do you control the IAS/NPS server?
I have (sadly) spent a bit of time with NPS learning how it works so I
can explain its awfulness - if you want to contact me off-list with the
policies & config, I'll take a look.
Cheers,
Phil
More information about the Freeradius-Users
mailing list