EAP does not work with realms

Iliya Peregoudov iperegudov at cboss.ru
Fri Jun 29 10:17:52 CEST 2012


Hello Chris,

Local realms should be defined as empty in raddb/proxy.conf. E.g.:

myrealm {
}

Your current erroneous setting

realm myrealm {
    auth_pool = mypool
}

leads to stripping realm part from User-Name and proxying request to 
127.0.0.1.

If you want to completely ignore realm presence in User-Name you need to 
use %{%{Stripped-User-Name}:-%{User-Name}} instead of %{User-Name}. 
E.g., in rlm_sql configuration:

sql {
    ...
    sql_user_name = "%{%{Stripped-User-Name}:-%{User-Name}}"
    ...
}


Christopher Manigan wrote:
> Hi, I am trying to get EAP MSCHAPv2 working with realms.  When I authenticate without using a realm prefix, MSCHAPv2 works ok.  Once I add a realm prefix in to the mix, I get radius rejection.  Below is radius running in debug with a user failing to authenticate.  I see this buried in the debug but am unsure how to troubleshoot or correct:
> 
> [eap] Identity does not match User-Name, setting from EAP Identity.
> [eap] Failed in handler
> ++[eap] returns invalid
> Failed to authenticate the user.
> Using Post-Auth-Type Reject
> 
> Here is the radius debug, with some information changed or removed to keep it anonymous:



More information about the Freeradius-Users mailing list