Yet another multiple SSID setup question

Nick Kartsioukas lists.freeradius at change.nightwind.net
Fri Jul 15 02:13:47 CEST 2011


Okay, I've gotten a bit further, but I'm still not grasping something in
the process flow from authorization to authentication and EAP outer and
inner methods.

I'll paste relevant chunks of my authorize, authenticate, and eap config
sections below.  The conditional switch statement is working properly
and matching my SSID (I do have other statements there, I just chopped
them out here for brevity), the LDAP lookup is working properly and
granting me authorization, but when it goes to EAP to perform
authentication it seems like it never gets to the inner MSCHAPv2 auth
and eventually fails.

ERROR: No authenticate method (Auth-Type) found for the request:
Rejecting the user
Failed to authenticate the user.
Login incorrect: [nicholas_kartsioukas] (from client slo-wlc1 port 0 via
TLS tunnel)
} # server 
[peap] Got tunneled reply code 3
[peap] Got tunneled reply RADIUS code 3
[peap] Tunneled authentication was rejected.
[peap] FAILURE

I've attached the full debug log.  Hopefully someone can point me in the
right direction?  Thanks!

authorize {
        preprocess
        auth_log
        rewrite_called_station_id

        switch Called-Station-Ssid {
                case "test" {
                        redundant-load-balance {
                                ldap_parrotfish
                                ldap_prawn
                                ldap_pike
                        }
                        update control {
                                Auth-Type = CUESTA
                        }
                }
        }

        files
        expiration
        logintime
}

authenticate {
        Auth-Type CUESTA {
                eap_cuesta
                mschap_cuesta
        }
}

	eap eap_cuesta {
                default_eap_type = peap
                timer_expire     = 60
                ignore_unknown_eap_types = no
                cisco_accounting_username_bug = no
                max_sessions = 4096
                md5 {
                }
                leap {
                }
                gtc {
                        auth_type = PAP
                }
                tls {
                        certdir = ${confdir}/certs
                        cadir = ${confdir}/certs
                        private_key_file =
                        /etc/ssl/private/webauth.cuesta.edu.key
                        certificate_file =
                        /etc/ssl/certs/webauth.cuesta.edu.cert
                        CA_file =
                        /etc/ssl/certs/thawte_ssl_webserver_intermediate_cert.crt
                        dh_file = ${certdir}/dh
                        random_file = /dev/urandom
                        CA_path = /etc/ssl/certs
                        cipher_list = "DEFAULT"
                        cache {
                              enable = no
                              lifetime = 24 # hours
                              max_entries = 255
                        }
                        verify {
                        }
                }
                ttls {
                        default_eap_type = md5
                        copy_request_to_tunnel = no
                        use_tunneled_reply = no
                }
                peap {
                        default_eap_type = mschapv2

                        #  the PEAP module also has these configuration
                        #  items, which are the same as for TTLS.
                        copy_request_to_tunnel = no
                        use_tunneled_reply = no
                }
                mschapv2 {
               }
        }
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: debuglog.txt
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110714/fb86fc27/attachment.txt>


More information about the Freeradius-Users mailing list