On Jul 27, 2020, at 11:18 AM, psuet <psuet@kawo1.rwth-aachen.de> wrote:
here is my log for a EAP-PWD Authentication and the following content in my authorize file:
"fEAy7zL2B9" Calling-Station-Id == "D8-C7-71-88-93-83", Cleartext-Password := "password" Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-Id = 3706
Thanks for any answer!
You didn't set "virtual_server" in the pwd module.
eap { default_eap_type = "pwd" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 16384 } ... # Linked to sub-module rlm_eap_pwd pwd { group = 19 fragment_size = 1020 server_id = "radius-1@domain.de" }
See the comments in the default configuration.
... (3) eap: Calling submodule eap_pwd to process data (3) eap_pwd: Sending tunneled request (3) eap_pwd: User-Name = "fEAy7zL2B9@sub3.domain.de" (3) eap_pwd: server default {
Which means it's running the packet through the default virtual server again. Note that the User-Name printed here is NOT the same as the one you put into the "authorize" file. In order for the file to match, the names have to match.
(3) suffix: Checking for suffix after "@" (3) suffix: Looking up realm "sub3.domain.de" for User-Name = "fEAy7zL2B9@sub3.domain.de" (3) suffix: Found realm "sub3.domain.de" (3) suffix: Adding Stripped-User-Name = "fEAy7zL2B9" (3) suffix: Adding Realm = "sub3.domain.de" (3) suffix: Authentication realm is LOCAL (3) [suffix] = ok (3) eap: No EAP-Message, not doing EAP (3) [eap] = noop (3) files: EXPAND %{%{Stripped-User-Name}:-%{User-Name}} (3) files: --> fEAy7zL2B9 (3) [files] = noop
Hmm... that should match. Are you sure that you put the entry into the "authorize" file? If so, where? Alan DeKok.