<HTML><HEAD>
<META content="text/html; charset=utf-8" http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 8.00.7600.16700"></HEAD>
<BODY style="MARGIN: 4px 4px 1px; FONT: 10pt Segoe UI">
<DIV>Hello All,</DIV>
<DIV> </DIV>
<DIV>I am setting up an Eduroam authentication server using FreeRadius 2.1.1 on Suse Linux 12. I am proxying authentication requests to a Cisco ACS. When testing using radtest from the FreeRadius box authentication is proxyed to ACS fine and i get an access-accept back. However when i try from a wireless client the proxy response from the ACS is an Access-Reject. In the failed attempts logs on the ACS it says bad username or password. i'm pretty sure im using the correct password. Is there any reason why this should not work? I've posted my logs below:-</DIV>
<DIV> </DIV>
<DIV>rad_recv: Access-Request packet from host 1.1.1.1 port 32768, id=210, length=255<BR> User-Name = "<A href="mailto:01420893@uct.ac.za">username</A>@xyz.ac.za"<BR> Calling-Station-Id = "00-1e-64-8f-f1-2a"<BR> Called-Station-Id = "08-17-35-32-f2-90:Eduroam"<BR> NAS-Port = 29<BR> NAS-IP-Address = 1.1.1.1 </DIV>
<DIV> NAS-Identifier = "uc-wism-2"<BR> Airespace-Wlan-Id = 4<BR> Service-Type = Framed-User<BR> Framed-MTU = 1300<BR> NAS-Port-Type = Wireless-802.11<BR> Tunnel-Type:0 = VLAN<BR> Tunnel-Medium-Type:0 = IEEE-802<BR> Tunnel-Private-Group-Id:0 = "63"<BR> EAP-Message = 0x02a0002b190017030100204673d48ae9e9d21afa7fe1fd6cae4d95841ae136e4fe85ad44acd3a4d0228a69<BR> State = 0x4541503d302e66666666666666662e63666337302e373b5356433d302e31363139623b<BR> Message-Authenticator = 0xaab2e06ffb5753411ad8d42b71cafbdd<BR>+- entering group authorize {...}<BR>++[preprocess] returns ok<BR>++[chap] returns noop<BR>++[mschap] returns noop<BR>[suffix] Looking up realm "xyz.ac.za" for User-Name = "<A href="mailto:username@xyz.ac.za">username@xyz.ac.za</A>"<BR>[suffix] Found realm "xyz.ac.za"<BR>[suffix] Adding Stripped-User-Name = "username"<BR>[suffix] Adding Realm = "xyz.ac.za"<BR>[suffix] Proxying request from user username to realm xyz.ac.za<BR>[suffix] Preparing to proxy authentication request to realm "xyz.ac.za"<BR>++[suffix] returns updated<BR>[eap] Request is supposed to be proxied to Realm xyz.ac.za. Not doing EAP.<BR>++[eap] returns noop<BR>++[unix] returns notfound<BR>++[files] returns noop<BR>++[expiration] returns noop<BR>++[logintime] returns noop<BR>++[pap] returns noop<BR>Sending Access-Request of id 81 to 2.2.2.2 port 1812<BR> User-Name = "username"<BR> Calling-Station-Id = "00-1e-64-8f-f1-2a"<BR> Called-Station-Id = "08-17-35-32-f2-90:Eduroam"<BR> NAS-Port = 29<BR> NAS-IP-Address = 1.1.1.1 </DIV>
<DIV> NAS-Identifier = "uc-wism-2"<BR> Airespace-Wlan-Id = 4<BR> Service-Type = Framed-User<BR> Framed-MTU = 1300<BR> NAS-Port-Type = Wireless-802.11<BR> Tunnel-Type:0 = VLAN<BR> Tunnel-Medium-Type:0 = IEEE-802<BR> Tunnel-Private-Group-Id:0 = "63"<BR> EAP-Message = 0x02a0002b190017030100204673d48ae9e9d21afa7fe1fd6cae4d95841ae136e4fe85ad44acd3a4d0228a69<BR> State = 0x4541503d302e66666666666666662e63666337302e373b5356433d302e31363139623b<BR> Message-Authenticator = 0x00000000000000000000000000000000<BR> Proxy-State = 0x323130<BR>Proxying request 8 to home server 2.2.2.2 port 1812<BR>Sending Access-Request of id 81 to 2.2.2.2 port 1812<BR> User-Name = "username"<BR> Calling-Station-Id = "00-1e-64-8f-f1-2a"<BR> Called-Station-Id = "08-17-35-32-f2-90:Eduroam"<BR> NAS-Port = 29<BR> NAS-IP-Address = 1.1.1.1 </DIV>
<DIV> NAS-Identifier = "uc-wism-2"<BR> Airespace-Wlan-Id = 4<BR> Service-Type = Framed-User<BR> Framed-MTU = 1300<BR> NAS-Port-Type = Wireless-802.11<BR> Tunnel-Type:0 = VLAN<BR> Tunnel-Medium-Type:0 = IEEE-802<BR> Tunnel-Private-Group-Id:0 = "63"<BR> EAP-Message = 0x02a0002b190017030100204673d48ae9e9d21afa7fe1fd6cae4d95841ae136e4fe85ad44acd3a4d0228a69<BR> State = 0x4541503d302e66666666666666662e63666337302e373b5356433d302e31363139623b<BR> Message-Authenticator = 0x00000000000000000000000000000000<BR> Proxy-State = 0x323130<BR>Going to the next request<BR>Waking up in 0.9 seconds.<BR>rad_recv: Access-Reject packet from host 2.2.2.2 port 1812, id=81, length=61<BR> Proxy-State = 0x323130<BR> EAP-Message = 0x04a00004<BR> Reply-Message = "Rejected\n\r"<BR> Message-Authenticator = 0xbcede120e168d2d92558e5f4ab8e03d5<BR></DIV>
<DIV> </DIV>
<DIV>Thanks </DIV>
<DIV> </DIV>
<DIV>Erisan</DIV><BR>
<!--StartFragment-->
<p style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 10pt; margin-left: 0cm" class="msonormal">
<font face="Monospaced">###</font>
</p>
<p style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 10pt; margin-left: 0cm" class="msonormal">
<font size="3" face="Monospaced">UNIVERSITY OF CAPE TOWN </font>
</p>
<p style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 10pt; margin-left: 0cm" class="msonormal">
</p>
<p style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 10pt; margin-left: 0cm" class="msonormal">
<font size="3" face="Calibri">This e-mail is subject to the UCT ICT
policies and e-mail disclaimer published on our website at
http://www.uct.ac.za/about/policies/emaildisclaimer/ or obtainable from
+27 21 650 9111. This e-mail is intended only for the person(s) to whom
it is addressed. If the e-mail has reached you in error, please notify
the author. If you are not the intended recipient of the e-mail you may
not use, disclose, copy, redirect or print the content. If this e-mail
is not related to the business of UCT it is sent by the sender in the
sender's individual capacity.</font>
</p>
<p style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 10pt; margin-left: 0cm" class="msonormal">
</p>
<p style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 10pt; margin-left: 0cm" class="msonormal">
<font face="Monospaced">### </font><br>
</p>
<!--EndFragment-->
</BODY></HTML>