I'll set up a set of docker containers to test some different use cases I can imagine when dealing with RADIUS proxying in eduroam. Probably this will take the next week, when I'm ready I'll post a link where you can try out all these things. With the current master I still have the problem that, if I omit the "if (updated)"-Section freeradius sends out Access-Reject when getting an Access-Challenge. When I put the "if(updated)" section there, it sends out the Access-Challenge, but with incorrect Message Authenticator and I haven't foud a way to tell my check script to ignore the Message Authenticator, so I haven't tested it further yet. I currently can't post the radius debug output, I'll probably do that in a few days, when I had the time to create a setup without any production secrets inside the configuration. Greetings Jan-Frederik Rieckers On 26.07.19 00:20, Alan DeKok wrote:
On Jul 24, 2019, at 2:11 PM, Jan-Frederik Rieckers <rieckers+freeradius-devel@uni-bremen.de> wrote:
I've tried these "fixes":
* Leave everything as it is * Remove the update{} section * Add the "ok" after the update{}
All of these fixes don't work.
Which means... what?
When I run eapol_test, it tells me for the reply Invalid Message-Authenticator! Incoming RADIUS packet did not have correct Message-Authenticator - dropped
So it seems to be a problem with message authenticator also?
Yes, it's not creating a Message-Authenticator attribute for proxied replies that have EAP-Message.
I've pushed a fix.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html