You are (still) not listening.
======== Proxy.conf ==================================================================== realm NULL { type = radius authhost = LOCAL accthost = LOCAL }
realm LOCAL { type = radius authhost = LOCAL accthost = LOCAL }
realm DOMAIN { type = radius authhost = LOCAL accthost = LOCAL }
realm SECURACCESS { type = radius authhost = 192.168.1.75:1812 accthost = 192.168.1.75:1813 secret = toor # nostrip }
I have told you to split user and server domains. Rename this SECUREACCESS into something like SECURE and make another entry for SECUREACCESS that will be the same as LOCAL.
==== users =========================================================================== DEFAULT FreeRADIUS-Proxied-To !* 127.0.0.1, Proxy-To-Realm := LOCAL SECURACCESS FreeRADIUS-Proxied-To == 127.0.0.1, Proxy-To-Realm := "SECURACCESS" ==ENDusers===================================================================
Is that first entry doing anything? Proxy to (now renamed) SECURE (server realm, leave users realm alone).
======== output: =================================================== rad_recv: Access-Request packet from host 192.168.1.150:32797, id=185, length=199 User-Name = "joakimlindgren@SECURACCESS" NAS-IP-Address = 192.168.1.73 NAS-Port = 1 NAS-Identifier = "10" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "0012793DFC0C" Called-Station-Id = "000B86600A58" Framed-MTU = 1100 EAP-Message = 0x0201001f016a6f616b696d6c696e646772656e405345435552414343455353 Aruba-Essid-Name = "demo-wpa-aes-eap-radius" Aruba-Location-Id = "1.1.1" Message-Authenticator = 0x4a71e7a8e828c5fbfeba6f153ee22c40
..
Mon Feb 4 13:04:03 2008 : Debug: rlm_realm: Proxying request from user joakimlindgren to realm SECURACCESS Mon Feb 4 13:04:03 2008 : Debug: rlm_realm: Adding Realm = "SECURACCESS" Mon Feb 4 13:04:03 2008 : Debug: rlm_realm: Preparing to proxy authentication request to realm "SECURACCESS" ..
EAP doesn't get terminated - it gets proxied. Or at least that's where this is heading. .. ..
Mon Feb 4 13:04:03 2008 : Debug: rlm_eap: Request is supposed to be proxied to Realm SECURACCESS. Not doing EAP. ..
Server thinks so too. ..
Mon Feb 4 13:04:04 2008 : Debug: rlm_pap: No clear-text password in the request. Not performing PAP. ..
Because it is an EAP request. ..
Mon Feb 4 13:04:04 2008 : Debug: WARNING: You set Proxy-To-Realm = LOCAL, but it is a LOCAL realm! Cancelling invalid proxy request. ..
Hm, so that first entry in users file does something. Try wihout it. This is why the request doesn't get proxied. ..
Sending Access-Reject of id 185 to 192.168.1.150 port 32797 Reply-Message = "" ..
Without proxying the request at all.
======== My thoughts about the output: ==========================================
Mon Feb 4 13:04:03 2008 : Debug: rlm_eap: Request is supposed to be proxied to Realm >SECURACCESS. Not doing EAP.
Detects that we want to proxy domain SECURACCESS. Terminate EAP and only proxy PAP.
That's not how you terminate EAP. You need to go through the whole TLS negotiation first. Once that is done, inner request will be extracted and that can be proxied.
Mon Feb 4 13:04:03 2008 : Debug: modsingle[authorize]: calling files (rlm_files) for request 0 Mon Feb 4 13:04:03 2008 : Debug: users: Matched entry DEFAULT at line 209 Mon Feb 4 13:04:03 2008 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 0 Mon Feb 4 13:04:03 2008 : Debug: modcall[authorize]: module "files" returns ok for request 0
Found the DEFAULT entry in users: DEFAULT FreeRADIUS-Proxied-To !* 127.0.0.1, Proxy-To-Realm := LOCAL
OK, but that's irrelevant. You should make (users) realm SECURACCESS local too.
Mon Feb 4 13:04:04 2008 : Debug: rlm_pap: No clear-text password in the request. Not performing PAP.
Not finding a clear-text password? Why can´t it suddenly use the password stored in the eDirectory (Stored as clear-text?).
Read the debug ==> No clear-text password in the *request*. That's because the request is still EAP.
Mon Feb 4 13:04:04 2008 : Debug: modsingle[authorize]: returned from pap (rlm_pap) for request 0 Mon Feb 4 13:04:04 2008 : Debug: modcall[authorize]: module "pap" returns noop for request 0 Mon Feb 4 13:04:04 2008 : Debug: modcall: leaving group authorize (returns updated) for request 0 Mon Feb 4 13:04:04 2008 : Debug: WARNING: You set Proxy-To-Realm = LOCAL, but it is a LOCAL >realm! Cancelling invalid proxy request.
Only a warning right?
Mon Feb 4 13:04:04 2008 : Debug: auth: type Local Mon Feb 4 13:04:04 2008 : Debug: auth: No User-Password or CHAP-Password attribute in the request
Failed due to not finding a User-Password...Why?
Because there is no password in the request - it's an EAP request. You need to finish with EAP first and then PAP attributes will be available. Ivan Kalik Kalik Informatika ISP