Dear group, you obviously still know my old thread: http://lists.freeradius.org/mailman/htdig/freeradius-users/2008-July/msg0009... I am using still freeradius 1.1.7 Well, the problem was not the foreign server which had the problems. It is kind of embarrassing to say: The reason was my access points. There was a setting, saying that each password should be transfered while being coded with md5. Although I don´t know why this had any influence on the clients with MSChapv2/PEAP or TTLS/PAP I removed the setting and voila it works. So now, foreigner from other wanted enterprises can use our WLAN using their login credentials. So, the other way should also work. Do you know eduroam? The service we use is similar to this Let´s look at my setup: WLAN-accesspoints with SSID1 for local users-------------------------------------------------------------------------->Windows 2003 with IAS and active directory same WLAN-accesspoints with SSID2 for foreign users---------------->myFreeRadiusServer------------->Windows 2003 with IAS and active directory outside central server<------------------------------------------------------------->myFreeRadiusServer------------->Windows 2003 with IAS and active directory outside central server<------------------------------------------------------------->someonesOtherRadiusServer1 outside central server<------------------------------------------------------------->someonesOtherRadiusServer2 ... So, my local users are able tu use SSID1 with 802.1X. They use PEAP with MSCHAPv2 to use the WLAN. No problem. It works. Also, if they accidently use SSID2, which is for foreigners, they can use it. They login with "username@mydomain.com". Everything which ends with "@mydomain.de" is proxied from "myFreeRadiusServer" to the "Windows 2003 with IAS and active directory". This is also working without any problems. Foreigners can use their credentials, e.g.: "username@someonesOtherdomain.com". This credentials are passed to "myFreeRadiusServer". Everything else, that doesn´t end "@mydomain.de" is passed to the "outside central server". There is a list which maps the other "@someonesOtherdomain.com" to the right "someonesOtherRadiusServers" So dozen of other servers. And from there the request is proxied to the corresponding "someonesOtherRadiusServer" which belongs to the right "@someonesOtherdomain.com" What is working: I can use the "username@someonesOtherdomain.com" from a foreign enterprise to login and use the WLAN. No problem here. But the other way round doesn´t work. I asked a collegue from one of those foreign enterprises to test the login with "username@mydomain.com" He gave me the following error message: Mon Aug 4 17:19:57 2008 : Auth: Login incorrect (Home Server says so): [username@mydomain.com] (from client CB-Access-Point-802.11 port 2 cli 00-1B-77-A4-7B-A2) I don´t know where the problem is. Perhaps you can give me a hint? Coming to my configuration files with changed IP addresses...: ----------------------------------------------------------------------------- clients.conf: client WLAN-IP-AP1 { secret = oft36fW! shortname = WLAN-AP1 nastype = other } ... client "outside central server"-IP { secret = ASECRETPASSWORD shortname = top-level-radius1 nastype = other } client "outside central backup server"-IP { secret = ASECRETPASSWORD shortname = top-level-radius1 nastype = other } ----------------------------------------------------------------------------- proxy.conf realm mydomain.com { type = radius authhost = IAS-IP:1812 accthost = IAS-IP:1813 secret = anotherpass #ldflag = round_robin1 nostrip } realm DEFAULT { type = radius authhost = outside central server:1812 accthost = outside central server:1813 secret = pass nostrip } realm DEFAULT { type = radius authhost = outside central backup server:1812 accthost = outside central backup server:1813 secret = pass nostrip } ----------------------------------------------------------------------------- users DEFAULT, Realm == mydomain.com, FreeRADIUS-Proxied-To == IAS-IP User-Name = `%{User-Name}`, Fall-Through = yes, Auth-Type := EAP DEFAULT, User-Name =~ "^[Aa][Nn][Oo][Nn][Yy][Mm][Oo][Uu][Ss]@.*$" Auth-Type := EAP DEFAULT, User-Name =~ "$@$" Auth-Type := EAP DEFAULT Realm == NULL Auth-Type := Reject ----------------------------------------------------------------------------- ----------------------------------------------------------------------------- eap.conf Although it is not doing anything as I learned eap { timer_expire = 60 ignore_unknown_eap_types = yes cisco_accounting_username_bug = no md5 { } leap { } tls { private_key_password = pass private_key_file = /usr/src/freeradius/key.pem #${raddbdir}/certs/cert-srv.pem certificate_file = /usr/src/freeradius/freeradius-cert.pem CA_file = /usr/src/freeradius/chain.txt dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random fragment_size = 1024 include_length = yes } ttls { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = yes } peap { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = yes } mschapv2 { } } ----------------------------------------------------------------------------- radiusd.conf, where I hardly changed anything. I commentec many things out... prefix = /usr exec_prefix = ${prefix} sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd log_file = /var/log/radius/radius.log log_destination = files libdir = /usr/lib/freeradius pidfile = ${run_dir}/radiusd.pid max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = * port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = yes log_auth = yes log_auth_badpass = yes log_auth_goodpass = yes usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = yes $INCLUDE ${confdir}/proxy.conf $INCLUDE ${confdir}/clients.conf snmp = no $INCLUDE ${confdir}/snmp.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { pap { auto_header = yes } chap { authtype = CHAP } pam { pam_auth = radiusd } unix { cache = no cache_reload = 600 radwtmp = ${logdir}/radwtmp } $INCLUDE ${confdir}/eap.conf mschap { use_mppe = yes require_encryption = yes require_strong = yes with_ntdomain_hack = no } realm IPASS { format = prefix delimiter = "/" ignore_default = no ignore_null = no } realm suffix { format = suffix delimiter = "@" ignore_default = no ignore_null = no } realm realmpercent { format = suffix delimiter = "%" ignore_default = no ignore_null = no } realm ntdomain { format = prefix delimiter = "\\" ignore_default = no ignore_null = no } checkval { item-name = Calling-Station-Id check-name = Calling-Station-Id data-type = string } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users preproxy_usersfile = ${confdir}/preproxy_users compat = no } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 } acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } $INCLUDE ${confdir}/sql.conf radutmp { filename = ${logdir}/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 0600 callerid = "yes" } radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = "no" } attr_filter { attrsfile = ${confdir}/attrs } counter daily { filename = ${raddbdir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } sqlcounter dailycounter { counter-name = Daily-Session-Time check-name = Max-Daily-Session reply-name = Session-Timeout sqlmod-inst = sql key = User-Name reset = daily query = "SELECT SUM(AcctSessionTime - \ GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \ FROM radacct WHERE UserName='%{%k}' AND \ UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" } sqlcounter monthlycounter { counter-name = Monthly-Session-Time check-name = Max-Monthly-Session reply-name = Session-Timeout sqlmod-inst = sql key = User-Name reset = monthly # This query properly handles calls that span from the # previous reset period into the current period but # involves more work for the SQL server than those # below # The same notes above about the differences between mysql # versus postgres queries apply here. query = "SELECT SUM(AcctSessionTime - \ GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \ FROM radacct WHERE UserName='%{%k}' AND \ UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" } always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } expr { } digest { } exec { wait = yes input_pairs = request } exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = request output_pairs = reply } instantiate { exec expr } authorize { preprocess attr_filter chap mschap suffix eap files pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix eap } preacct { preprocess acct_unique suffix files } accounting { detail unix radutmp } session { radutmp } post-auth { } pre-proxy { } post-proxy { eap }