Ok I see that. I assume the username is coming from this portion of the client.cnf? [client] countryName = FR stateOrProvinceName = Radius localityName = Somewhere organizationName = Example Inc. emailAddress = user@example.com commonName = user@example.com I would have expected FR3 to ignore UserID/PWD when using EAP/TLS Certificates??? if it doesn’t do I have to create a username for each client cert? Or is there a conf file that I need to modify to work with EAP/TLS?
On Jul 7, 2015, at 2:07 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Jul 6, 2015, at 1:56 PM, Zeus Panchenko <zeus@ibs.dn.ua> wrote:
I am trying to configure MAC auth by implementing EAP/MD5 as it is described here: http://wiki.freeradius.org/modules/Rlm_eap#My-Userbase-is-in-LDAP-and-I-want...
FR v.3.0.8 is on FreeBSD 10.1R supplicant is on FreeBSD 10.1R connected (by wire) to FR wia switch
but something is wrong and I can not understand what ... please help me to see what I do not see ...
You edited the default configuration and broke it. Don't do that.
as backend I have LDAP and in it, userPassword format is Cleartext-Password (for the sample from the debug bellow it is `00-25-90-D9-76-2C'
as I understand from the debug bellow, I successfully pass authorization but fail to authenticate against eap_md5 ...
why?
Because you deleted the "pap" module from the "authorize" section. It should be listed last there. It takes care of normalizing passwords. In this case, turning Password-With-Header into Cleartext-Password.
---[ quotation start ]------------------------------------------- Mon Jul 6 20:27:36 2015 : Debug: (0) Received Access-Request Id 200 from 192.168.0.1:49205 to 192.168.0.254:1812 length 137
PLEASE just post "radiusd -X". This is what is requested in the FAQ, "man" pages, and daily on this list. Adding extra debug information doesn't help in most cases. Here, it just makes the problem harder to spot.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html