hi,
The freeradius server is authenticating (verifying passwords) against an external LDAP server (no AD involved). The LDAP part worked using radtest and plain-text passwords on localhost:1812. I enabled mschap in the authorize section of the inner-tunnel config, enabled ldap in mods-enabled/inner-tunnel, and enable the control:NT-Password in the update section of the ldap module. Radtest on localhost:18120 now works. Thanks for he help on this.
From the wireless client authentication without a realm now works. Log still show the authentication process looping through 10 times before sending the Access-Accept response.
Is this normal?
its not 'looping' - its going through the EAP process. cclient sends EAP request , server acknowledges, client starts PEA - server sends its server certificate, client accepts, client sends ID etc server then starts the MSCHAPv2 challenge response etc (this is all simplified ;-) - each of these takes the form of a new access request and challenge-response etc on RADIUS side. RADIUS is not a 'stateful conversation' - each RADIUS UDP datagram is its own isolated thing which passes through the RADIUS server from start to end (with a few shortcuts - like 'oh this is an ongoing conversation in the EAP phase, jump straight there' - part of this is because policies may change during the auth depending on what new bit on info is seen... and other things are more legacy. if you test your client with eg eapol_test - which simulates a conversation via a NAS - you will see this same conversation....radtest is a very very dumb 'user/password in one access-request' - only use it for very simple/dumb tests...then stop using it ;-) these resources may help :) http://packetlife.net/blog/2008/nov/10/ieee-8021x-cheat-sheet/ http://ptgmedia.pearsoncmg.com/images/chap07_1587051540/elementLinks/fig15.j... alan