On Wed, 1 Sep 2010, Alan DeKok wrote:
Kadlecsik Jozsef wrote:
rad_recv: Access-Request packet from host 127.0.0.1 port 43327, id=0, length=160 User-Name = "anonymous@teszt.eduroam.hu"
The original packet from eapol_test.
+- entering group pre-proxy {...} ... Sending Access-Request of id 135 to 195.111.98.4 port 1812 User-Name = "anonymous@teszt.eduroam.hu"
Which is proxied.
rad_recv: Access-Challenge packet from host 195.111.98.4 port 1812, id=67, length=67
i.e. received an Access-Challenge from the home server.
Sending Access-Challenge of id 1 to 127.0.0.1 port 43327
i.e. it's being sent back to eapol_test.
rad_recv: Access-Request packet from host 127.0.0.1 port 43327, id=2, length=240
And the NAS is continuing the EAP conversation.
User-Name = "anonymous@teszt.eduroam.hu"
And this packet isn't proxied.
Why?
rlm_eap: No EAP session matching the State variable. [eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request
Since it isn't proxied, it's handled locallt.
I turned out that the default setting in the virtual server: authorize { ... eap { ok = return } .... files } prevented the daemon to process the users file. From the debug log: +[mschap] returns noop [eap] EAP packet type response id 2 length 93 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} i.e, the users file was skipped. Thanks for pointing out the local processing, somehow we did not realize it. Best regards, Jozsef -- E-mail : kadlec@mail.kfki.hu, kadlec@blackhole.kfki.hu PGP key: http://www.kfki.hu/~kadlec/pgp_public_key.txt Address: KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary