Oscar RemÃrez de Ganuza Satrústegui wrote:
We are using freeradius (Version 2.1.9) to serve access requests for 802.1x, using PEAP/EAP/MSCHAPv2 (windows7). We use LDAP for authentication (user accounts) and authorization (Ldap-Groups). We also tunneled the request to the same radius for our realm "unav.es
That is a fairly common setup.
I am having some problems using huntgroups to identified the origin of a request. I have simplified the test trying to find out the problem, but I do not understand what it is happening:
(The "notworking log" is appended at the end of the message. I had to trim it to make it shorter)
It would have been better to follow the instruction in the FAQ, README, "man" page, web pages, and daily on this list: "radiusd -X". Using "radiusd -xX" produces 2x the output, and is NOT needed.
I can see in the "not working log" that on the first requests the huntgroup is been recognised ok. I just do not understand why it tries again to check it, until it fails (request #9).
Because it's checking the user *inside* of the TLS tunnel. Go read raddb/sites-available/inner-tunnel. You will probably need to modify your huntgroup check.
I also do not understand why it needs so many requests (12!) to work ok.
That's how 802.1X works. It sends lots of packets. Alan DeKok.