huntgroup check problems

Alan DeKok aland at
Fri Jan 20 12:18:34 CET 2012

Oscar Remírez de Ganuza Satrústegui wrote:
> We are using freeradius (Version 2.1.9) to serve access requests for
> 802.1x, using PEAP/EAP/MSCHAPv2 (windows7). We use LDAP for
> authentication (user accounts) and authorization (Ldap-Groups).
> We also tunneled the request to the same radius for our realm "

  That is a fairly common setup.

> I am having some problems using huntgroups to identified the origin of a
> request.
> I have simplified the test trying to find out the problem, but I do not
> understand what it is happening:

> (The "notworking log" is appended at the end of the message. I had to
> trim it to make it shorter)

  It would have been better to follow the instruction in the FAQ,
README, "man" page, web pages, and daily on this list: "radiusd -X".
Using "radiusd -xX" produces 2x the output, and is NOT needed.

> I can see in the "not working log" that on the first requests the
> huntgroup is been recognised ok. I just do not understand why it tries
> again to check it, until it fails (request #9).

  Because it's checking the user *inside* of the TLS tunnel.  Go read
raddb/sites-available/inner-tunnel.  You will probably need to modify
your huntgroup check.

> I also do not understand why it needs so many requests (12!) to work ok.

  That's how 802.1X works.  It sends lots of packets.

  Alan DeKok.

More information about the Freeradius-Users mailing list