Hi I'm working with Luciano on eduroam BR and trying to solve this. I attached our debug files. 4 files: 1) debug-eapol-from-ujfteste-to-rnpteste - the client eapol running an auth test 2) debug-ufjfteste-FR3 - FreeRadius @ inst1/ufjfteste.br 3) debug-rnpteste-FR3 - FreeRadius @ inst1/rnpteste.br 4) debug-radsecproxy-FLR - radsecproxy @ federation level What caught my attention was this "error" on the local (institution) FreeRadius rlm_eap (EAP): No EAP session matching state 0xc6ab1049c7a90598 I can send debug file from radtest too, but I think this isn't necessary Thank you all --Edelberto Em 13-Jul-17 4:59 PM, Alan Buxey escreveu:
not sure what you've done - I've used FreeRADIUS with native radsec connectivity to proxy EAP to remote servers (RADIATOR and radsecproxy) and to receive EAP from the same remote proxies. Would suggest, as Alan had said, to grab debug and check what the server is doing. its all quite clear what its doing (dont be overwhelmed by all the output, just read it step by step...) - there will be some very ovbious difference between the EAP and your radtest - likely to be related to action of server when packet has gone into inner-tunnel (which, I'm guessing it shouldnt be doing as its supposed to be proxied to remote site......)
alan
On Jul 13, 2017, at 9:46 AM, Luciano Fernandes da Rocha <luciano.rocha@rnp.br> wrote:
Briefly, our scenario has 3 servers with FreeRadius 3.0.14. 2 institutions (ufjfteste.br and rnpteste.br) and 1 FLR (.br). On the institution level we run RadSec (embedded TCP/TLS in FreeRadius3) to communicate with our FLR, a radsecproxy. So, using this TLS communication, EAP does not work, but turning off it and doing the communication between all servers using only UDP (disabling RadSec at institutions and radsecproxy at FLR), all EAP methods works.
Please be clearer about "it doesn't work". What happens? What does the debug say?
To confirm it, if we turn on the TLS communication, we could only authenticate using 'radtest' (as we know, a simple authentication without EAP).
We suspect that EAP messages are lost during the exchanging when TLS communication are enable. The server doesn't lose EAP messages.
Do you have any ideia about it to help us? Read the debug output. Or, post it to the list. Nothing else will help.
if it's too large to send on the list (~500K), send it to me off-list. Preferably gzip'd.
Set up a proxy which uses RadSec to talk to a home server. Set up the home server with test certs and a test user. Use wpa_supplicant to send packets to the proxy.
Then send ALL the debug output over.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 13 July 2017 at 15:23, Alan DeKok <aland@deployingradius.com> wrote: - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html