On gio, 2015-09-10 at 18:47 +0100, Arran Cudbard-Bell wrote:
On 10 Sep 2015, at 15:57, Leonardo Arena <rnalrd@gmail.com> wrote:
Hi list,
I have a FreeRADIUS 3.0.3 proxy which forward all Cisco WAPs Wireless-802.11 authentication requests to a Windows NPS server. Clients use PEAP to authenticate.
What I'm seeing is that the Access-Challenge from the NPS is forwarded without any AVPs, and of course the WAP silently drops it.
Please find below the debug output and the relevant configuration files attached.
Couldn't find really anything helpful in the ML archive.
Could you please give me any suggestion of what could be wrong?
Weird, unless you list a filter module in post-proxy the response should be forwarded. You're using a very out of date version of v3.0.x though, try 3.0.9 and see if you still see the same issue.
I'm using default attr-filter module (see below) and AFAICS it's used only by inner-tunnel, and I don't have any post-proxy file. I'll give a shot with 3.0.9 although with 3.0.4 clients.conf changed syntax IIRC and that's why we stick with 3.0.3. Upgrading clients.conf in 200+ installations does not look an attractive option. :) Thanks! - leo /etc/raddb/mods-enabled# cat attr_filter # -*- text -*- # # $Id: 1caff077b2429c948a04777fcd619be901ac83dc $ # # This file defines a number of instances of the "attr_filter" module. # # attr_filter - filters the attributes received in replies from # proxied servers, to make sure we send back to our RADIUS client # only allowed attributes. attr_filter attr_filter.post-proxy { key = "%{Realm}" filename = ${modconfdir}/${.:name}/post-proxy } # attr_filter - filters the attributes in the packets we send to # the RADIUS home servers. attr_filter attr_filter.pre-proxy { key = "%{Realm}" filename = ${modconfdir}/${.:name}/pre-proxy } # Enforce RFC requirements on the contents of Access-Reject # packets. See the comments at the top of the file for # more details. # attr_filter attr_filter.access_reject { key = "%{User-Name}" filename = ${modconfdir}/${.:name}/access_reject } # Enforce RFC requirements on the contents of Access-Challenge # packets. See the comments at the top of the file for # more details. # attr_filter attr_filter.access_challenge { key = "%{User-Name}" filename = ${modconfdir}/${.:name}/access_challenge } # Enforce RFC requirements on the contents of the # Accounting-Response packets. See the comments at the # top of the file for more details. # attr_filter attr_filter.accounting_response { key = "%{User-Name}" filename = ${modconfdir}/${.:name}/accounting_response }