Change use_tunneled_reply to yes in peap section of eap.conf. Ivan Kalik Kalik Informatika ISP Dana 14/11/2008, "Tod A. Sandman" <sandmant@rice.edu> piše:
Ivan Kalik wrote:
Why don't you map that in ldap.attrmap?
Thanks so much. I removed all LDAP settings from users, and I have TTLS-PAP working fine with redundant LDAP for authorization and Kerberos for Authentication.
Now I can't get the only other mode we need: PEAP/MSChapv2. LDAP authorization is working fine, and the ntlm-auth authentication works fine, but required attributes are not being sent back in the Access-Accept packet.
Unlike when I connect via TTLS-PAP, the Access-Accept does not include some required attributes. The debug output shows them getting set properly within sites-enabled/inner-tunnel and getting updated with "update outer.reply", but they get dropped before the Access-Accept packet.
I haven't touched sites-enabled/default.
I enabled ldap in sites-enabled/inner-tunnel, and afterwards I do an "update outer.reply", i.e.:,
redundant-load-balance redundant_ldap { ldap1 ldap2 ldap3 }
update outer.reply { Cisco-AVPair := "%{reply:Connect-Info}" Class := "OU=%{reply:Connect-Info}" }
and the debug output shows this working.
But the Access-Accept does not include these attributes as it does when I use TTLS-PAP.
I tried moving the "update outer.reply" to the post-auth section, but this did not help.
My config is quite close to the default. The only PEAP related change I made was to update modules/mschap with the correct ntlm_auth line.
Thanks for any ideas.
Tod Sandman Sr. Systems Administrator Middleware Development & Integration Rice University