Rob, Can you show us the full debug log of the home server (I'm assuming you are running that in debug mode)? Thanks! Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet jisc.ac.uk Networkshop44, University of Manchester. Save the date: 22-24 March, 2016. #NWS44 Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc¹s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200. On 13/03/2016 19:38, "Freeradius-Users on behalf of Rob Gorrell" <freeradius-users-bounces+stefan.paetow=jisc.ac.uk@lists.freeradius.org on behalf of rwgorrel@uncg.edu> wrote:
I am trying to set up a working EAP-TTLS/PAP demo using FreeRadius 2.2.6 on top of CentOS6. For simplicity, I would like to use PAP and statically define Cleartext-Password for users in the users file. But I also would like to be able to authenticate using full realm since I plan on using realm for testing some routing. I currently have this working for basic radius by stripping the realm and then using Cleartext-Password from the users file ... however, when I went to put the same setup through EAP TTLS, I'm now having problems and getting a no User-Password attribute dispite supplying one the same one from radtest but using rad_eap_test.
Sun Mar 13 13:06:32 2016 : Auth: Login incorrect: [bob/<via Auth-Type = EAP>] (from client localhost port 58 cli fcdbb33f581d) Sun Mar 13 13:06:33 2016 : Auth: Login incorrect (Home Server says so): [ bob@rgorrell.net/<no User-Password attribute>] (from client raddev port 58 cli fcdbb33f581d)
While researching, I came across a theory that sounds fitting to my situation... upon receiving a username qualified by a realm, FreeRadius will strip the realm off before matching the username. This results in the User-Name being modified to be different to the EAP Identity field before being sent for actual authenticating. This results in FreeRadius issueing a rejection due to the mismatch between the two fields.
Does that sound right? If so, I'm not sure what I can do about it... I can't nostrip the username as then I won't be able to authenticate via PAP. but I can't login identically matching my users file (ie no realm), because I need the realm for routing.
Suggestions? Thanks, -Rob - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html