Windows10 PEAP: "Could not find Pool-Name attribute"
aland at deployingradius.com
Tue Sep 17 16:16:57 CEST 2019
On Sep 16, 2019, at 9:07 AM, Volodymyr Litovka <doka.ua at gmx.com> wrote:
> I’m facing a problem connecting Windows 10 client to Strongswan (IKEv2) with Freeradius as AAA backend.
> Configuration of Freeradius is almost untouched and it works like a charm for OSX->Strongswan clients:
> - added ippool to mods-enabled (main_pool)
> - enabled main_pool in ‘default’ site in ‘post-auth’ and ‘accounting’ sections
> Unlike OSX, Windows10 falls into PEAP conversation, thus I modified sites-enabled/inner-tunnel - added main_pool into ‘post-auth’ section as well.
Note that this does sets it *only* for the inner-tunnel request. Not the outer one.
> Output from ‘freeradius -X' is available at the following link: https://pastebin.com/FKFep8Za where you can see that until and during step (8) Freeradius successfully authenticates user, assigns Framed-IP-Address from the pool and returns it (line 926) for further processing, but during step (9) it tries to do the same (line 1034) and fails. It either don’t see Framed-IP-Address attribute or losing information about main_pool during passes over inner-tunnel?
Each packet is handled as a separate thing. If you want attributes saved across multiple packets, then place them into the session-state list. See the "inner-tunnel" examples for more information.
> User definition is quite simple:
> aeris Cleartext-Password := "q1w2e3", Pool-Name := main_pool
> Service-Type = Framed-User
> Removing main_pool from sites-enabled/inner-tunnel (in order to leave this to sites/default) changed nothing - same message "Could not find Pool-Name attribute” appears in log. I tried to play with some configurations parameters in mods-enabled/eap (copy_request_to_tunnel, use_tunneled_reply), sites-enabled/inner-tunnel (if(0)/if(1)) but since I don’t clearly understand for what they’re responsible, I've got no success.
> Can anybody point me to the cause of the problem?
You need to copy the main_pool settings from the inner-tunnel to the *outer* session-state list. Then, apply it in the *outer* post-auth section.
More information about the Freeradius-Users