hi,
The consultant setting that up smiled smugly at that success and then left. But the access from outside, using the same credentials, fails.
well, I can understand the happiness at getting the first Access-Accept working but its not a good approach to getting repeat customers. it takes about a day to get eduroam up and running at an Organisation - if relevant stakeholders and ops people are around. otherwise it can drag out to 2 days. from a quick glance at the logs you sent - the requests from the FLR go to ther own FreeRadius virtual server 'eduroam' - good. easy to define auth policy there, but it seems your internal eduroam things do too - thats not good. you should have your own internal virtual server for internal eduroam (if requests are not your realm and are valid realm format etc send them off to the FLR, for your own users, auth and then give relevant access VLANS etc.) you appear to have duplicate module lying around for mschap - you have require_message_authenticator = no for NAS clients set that to yes, you should not be letting clients that dont have this ability to use your resources (I ran eduroam at a site that was in eduroam from the early days and we had this enforcement) and finally, as others have already said, the incoming request being targetted at you from the outside world is not an EAP request. oh, regarding that, in your eduroam virtual server, reject non EAP requests as first line protection anyway. alan