On Fri, Jul 15, 2011 at 7:13 AM, Nick Kartsioukas <lists.freeradius@change.nightwind.net> wrote:
Okay, I've gotten a bit further, but I'm still not grasping something in the process flow from authorization to authentication and EAP outer and inner methods.
I'll paste relevant chunks of my authorize, authenticate, and eap config sections below. The conditional switch statement is working properly and matching my SSID (I do have other statements there, I just chopped them out here for brevity), the LDAP lookup is working properly and granting me authorization, but when it goes to EAP to perform authentication it seems like it never gets to the inner MSCHAPv2 auth and eventually fails.
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Login incorrect: [nicholas_kartsioukas] (from client slo-wlc1 port 0 via TLS tunnel) } # server [peap] Got tunneled reply code 3 [peap] Got tunneled reply RADIUS code 3 [peap] Tunneled authentication was rejected. [peap] FAILURE
I've attached the full debug log. Hopefully someone can point me in the right direction? Thanks!
I'd look at these lines: [ldap_parrotfish] performing search in ou=CUESTA,dc=cuesta,dc=org, with filter (sAMAccountName=nicholas_kartsioukas) [ldap_parrotfish] No default NMAS login sequence [ldap_parrotfish] looking for check items in directory... [ldap_parrotfish] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? Do you have cleartex-password somewhere in your LDAP schema? If not, then MSCHAPv2 will NOT work. It MIGHT work with TTLS-PAP or PEAP-GTC, but requires special setup (to force LDAP bind). If yes, then check ldap.attrmap to ensure attribute mappings matched. -- Fajar