EAP Session problems
Alan DeKok
aland at deployingradius.com
Mon Sep 8 17:24:48 CEST 2014
Cardinal-Richards, Emma wrote:
> We've run up 2 new pre-prod RADIUS servers with a newer release of freeradius and have indicated they are 'testdev' under our site's eduroam support. When we attempt to login with an account 'username at test.ucl.ac.uk' to our production ORPS we see the request reach our testdev ORPS but it fails to authenticate locally. (We've declared test.ucl.ac.uk as a realm in proxy.conf to be authorised locally to avoid looping back up to the NRPS and back to us etc). It fails with an EAP 'did not finish' (in the style as shown at the bottom section of here http://wiki.freeradius.org/guide/Certificate-Compatibility, the client is linux) failing to see it as a new session. Our certificates are the same on both production and testdev.
If you get EAP "did not finish", it's almost always the fault of the
client.
For this, you'll have to run the server with "-Xx", in order to get
timing information.
> The other odd behaviour is that despite getting a REJECT from this testdev server, I get authenticated by our production ORPS using 'username at test.ucl.ac.uk' which is not a declared local realm on the production ORPS.
See the debug output on the production servers for why that's happening.
Alan DeKok.
More information about the Freeradius-Users
mailing list