huntgroup check problems
Alan DeKok
aland at deployingradius.com
Fri Jan 20 12:18:34 CET 2012
Oscar Remírez de Ganuza Satrústegui wrote:
> We are using freeradius (Version 2.1.9) to serve access requests for
> 802.1x, using PEAP/EAP/MSCHAPv2 (windows7). We use LDAP for
> authentication (user accounts) and authorization (Ldap-Groups).
> We also tunneled the request to the same radius for our realm "unav.es
That is a fairly common setup.
> I am having some problems using huntgroups to identified the origin of a
> request.
> I have simplified the test trying to find out the problem, but I do not
> understand what it is happening:
> (The "notworking log" is appended at the end of the message. I had to
> trim it to make it shorter)
It would have been better to follow the instruction in the FAQ,
README, "man" page, web pages, and daily on this list: "radiusd -X".
Using "radiusd -xX" produces 2x the output, and is NOT needed.
> I can see in the "not working log" that on the first requests the
> huntgroup is been recognised ok. I just do not understand why it tries
> again to check it, until it fails (request #9).
Because it's checking the user *inside* of the TLS tunnel. Go read
raddb/sites-available/inner-tunnel. You will probably need to modify
your huntgroup check.
> I also do not understand why it needs so many requests (12!) to work ok.
That's how 802.1X works. It sends lots of packets.
Alan DeKok.
More information about the Freeradius-Users
mailing list