EAP fails when proxying to a realm
Christopher Manigan
cmanigan at towerstream.com
Thu Jun 28 19:17:03 CEST 2012
Thanks for pointing those things out to me. I am no longer proxying back to myself like that, and I've told the sql module to use stripped user name when possible and it looks like it's all working now.
Best wishes,
Chris
________________________________________
From: freeradius-users-bounces+cmanigan=towerstream.com at lists.freeradius.org [freeradius-users-bounces+cmanigan=towerstream.com at lists.freeradius.org] on behalf of Phil Mayers [p.mayers at imperial.ac.uk]
Sent: Thursday, June 28, 2012 12:49 PM
To: freeradius-users at lists.freeradius.org
Subject: Re: EAP fails when proxying to a realm
On 28/06/12 17:33, Christopher Manigan wrote:
> I am trying to use MSCHAPv2 to authenticate users. This works ok, except when I try to proxy to a realm. Pasted below is the debug of a user trying to authenticate. The realm is a prefix of the username. What I see buried in the debug is:
>
>
> # radiusd -X
> FreeRADIUS Version 2.1.11, for host i686-pc-linux-gnu, built on Jun 28 2012 at 11:37:39
Upgrade to 2.1.12 if possible
> Sending Access-Request of id 22 to 127.0.0.1 port 1812
Why on earth are you proxying back to yourself, to the same virtual
server no less?
I suspect this is confusing the server, since it fails inside the
handler further down.
> [eap] Identity does not match User-Name, setting from EAP Identity.
You are rewriting the username. This doesn't work with EAP. Don't do that.
If you need to strip realms etc. use "Stripped-User-Name". Leave the
original username alone.
> [eap] Failed in handler
> ++[eap] returns invalid
> Failed to authenticate the user.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list