EAP-TTLS not working
A.L.M.Buxey at lboro.ac.uk
A.L.M.Buxey at lboro.ac.uk
Mon Oct 17 17:29:17 CEST 2016
Hi,
> /var/log/radius-eduroam/radacct/127.0.0.1/auth-detail-20161017
> [auth_log] expand: %t -> Mon Oct 17 15:05:33 2016
> ++[auth_log] = ok
> [suffix] Looking up realm "ash-berlin.eu" for User-Name =
> "anonymous at ash-berlin.eu"
> [suffix] No such realm "ash-berlin.eu"
so, a realm you are trying to auth isnt defined in the proxy.conf as one of your own eg
realm ash-berlin.eu {
}
> [files] users: Matched entry DEFAULT at line 1
what is on line 1 of your users file?(I shudder to think....)
> Found Auth-Type = Perl
> Found Auth-Type = EAP
> Warning: Found 2 auth-types on request for user
yes....see that warning. you are forcing rhe server to do something - eg Auth-Type
is being manually set. you shouldnt need to do that...
> ++? if (("%{control:Proxy-To-Realm}" == "DEFAULT") && (User-Name =~
> /.*@ash-berlin.eu$/)) -> FALSE
as you can see, this policy you have isnt matching. if you have the relam defined, you can just check for %{Realm}
being populated...nice and easy.
now, the debug never shows an access-accept or reject.....the server never ends up in an inner-tunnel.
what is the PERL script for? does it need to be called for an EAP auth in the outer phase? you need to
streamline the policy so only calls to relevant modules are called in the outer phase and only the
bits you need (once EAP tunnel has been configured, client happy with cert from server etc) are
called....
alan
More information about the Freeradius-Users
mailing list