On Dec 6, 2017, at 8:20 AM, Tobias Balle-Petersen <tobiasbp@gmail.com> wrote:
At the dawn of time, I set up a FreeRADIUS 2.x server with an openLDAP backend for use with my Apple access points. This has worked for years.
That's common. I've seen people with installations that are 10+ years old. If it works... why change it?
I am now trying to make the same confuguration with FreeRADIUS 3.0.12 in a FreeBSD jail. Unfortunately, I can not make it work.
Follow the guide: http://deployingradius.com/documents/configuration/eap.html And test the "inner-tunnel" first. Read the comments at the start of that file for more details.
I have pasted the lengthy log of a failed attempt here: https://pastebin.com/CLqegYRe
It looks to me like this is where it goes wrong: ... (18) pap: WARNING: Auth-Type already set. Not setting to PAP (18) [pap] = noop (18) } # authorize = updated (18) Found Auth-Type = Reject (18) Auth-Type = Reject, rejecting user
That means the "Auth-Type = Reject" was set somewhere long before that message is printed. Read the *rest* of the log to look for Reject, or something that might set it. Specifically:
(8) files: users: Matched entry DEFAULT at line 63
As ALWAYS, the default configuration works. Install it, add a user, configure a cert, and EAP for WiFi *will* work. Many people start mashing all kinds of things into the config without testing. Then, after a few days of editing, it doesn't work. Since they *never* tested it, it never worked, and they have no idea where it went from "working" to "not working". Take a methodical approach to changing the configuration. And *test* it every time you make a change. This is all documented in "man radiusd". Alan DeKok.