rlm_passwd fails Stripped-User-Name check when in inner-tunnel mode (PEAP)

[Matthew Newton]

On Thu, Nov 12, 2015 at 07:14:32PM +0800, Tim Chen wrote:
> 3. EAP(PEAP)
>    I use eapol_test to test
>    identity="john" PASS
>    identity="john at eduroam.example.edu" FAIL!!

Have you still got this config?

  passwd passwdf1 {
     filename = /home/radius/passwd1
     format = "*Stripped-User-Name:NT-Password:"

as you need to look up Stripped-User-Name in the passwd file, not
User-Name.


>         User-Name = "john at eduroam.example.edu"
> server inner-tunnel {
> # Executing section authorize from file
> /usr/local/etc/raddb/sites-enabled/inner-tunnel
> +group authorize {
> ++[chap] = noop
> ++[mschap] = noop
> [suffix] Looking up realm "eduroam.example.edu" for User-Name = "
> john at eduroam.example.edu"
> [suffix] Found realm "eduroam.example.edu"
> [suffix] Adding Stripped-User-Name = "john"
> [suffix] Adding Realm = "eduroam.example.edu"
> [suffix] Proxying request from user john to realm eduroam.example.edu

What Alan said - how is your proxying defined? Is
eduroam.example.edu your local realm or remote?

It is very unlikely you want to be proxying in the inner tunnel.
In which case make sure you've still got
  update control {
    Proxy-To-Realm := LOCAL
  }
there.


> [suffix] Preparing to proxy authentication request to realm "
> eduroam.example.edu"
> ++[suffix] = updated
> ++update control {
> ++} # update control = noop
> [eap] EAP packet type response id 9 length 27
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] = updated
> [files] file_common
> ++[files] = noop
> ++[passwdf1] = notfound

See config above - if you are looking for User-Name then that will
explain why this is notfound.

Matthew


-- 
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>