Well its no univention package, its only from the univention repo. they dont like other repos in their system.

Well i started with a fresh installation and made minimal changes.
i put in the ap's in clients.conf, activated and configured ldap and copied the certs in the correct direction. well i also activated all the log options for better debugging.

ill post two more things. the output from start with -X and the inner-tunnel.

This is the output when i start with -X:

root@srtcsvo04:/etc/univention/ssl# /usr/sbin/freeradius -X
FreeRADIUS Version 2.0.4, for host x86_64-pc-linux-gnu, built on Nov 22 2010 at 14:36:23
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including configuration file /etc/freeradius/snmp.conf
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/sites-enabled/default
including dictionary file /etc/freeradius/dictionary
main {
    prefix = "/usr"
    localstatedir = "/var"
    logdir = "/var/log/freeradius"
    libdir = "/usr/lib/freeradius"
    radacctdir = "/var/log/freeradius/radacct"
    hostname_lookups = no
    max_request_time = 30
    cleanup_delay = 5
    max_requests = 1024
    allow_core_dumps = no
    pidfile = "/var/run/freeradius/freeradius.pid"
    user = "freerad"
    group = "freerad"
    checkrad = "/usr/sbin/checkrad"
    debug_level = 0
    proxy_requests = yes
 security {
    max_attributes = 200
    reject_delay = 1
    status_server = yes
 }
}
 client localhost {
    ipaddr = 127.0.0.1
    require_message_authenticator = no
    secret = "***"
    nastype = "other"
 }
 client 10.119.12.1 {
    require_message_authenticator = no
    secret = "***"
    shortname = "aptcsvo01"
    nastype = "other"
 }
 client 10.119.12.2 {
    require_message_authenticator = no
    secret = "***"
    shortname = "aptcsvo02"
    nastype = "other"
 }
 client 10.119.12.3 {
    require_message_authenticator = no
    secret = "***"
    shortname = "aptcsvo03"
    nastype = "other"
 }
 client 10.119.12.4 {
    require_message_authenticator = no
    secret = "AhVeig1nai"
    shortname = "aptcsvo04"
    nastype = "other"
 }
radiusd: #### Loading Realms and Home Servers ####
 proxy server {
    retry_delay = 5
    retry_count = 3
    default_fallback = no
    dead_time = 120
    wake_all_if_all_dead = no
 }
 home_server localhost {
    ipaddr = 127.0.0.1
    port = 1812
    type = "auth"
    secret = "***"
    response_window = 20
    max_outstanding = 65536
    zombie_period = 40
    status_check = "status-server"
    ping_check = "none"
    ping_interval = 30
    check_interval = 30
    num_answers_to_alive = 3
    num_pings_to_alive = 3
    revive_interval = 120
    status_check_timeout = 4
 }
 home_server_pool my_auth_failover {
    type = fail-over
    home_server = localhost
 }
 realm example.com {
    auth_pool = my_auth_failover
 }
 realm LOCAL {
 }
radiusd: #### Instantiating modules ####
 instantiate {
 Module: Linked to module rlm_exec
 Module: Instantiating exec
  exec {
    wait = yes
    input_pairs = "request"
    shell_escape = yes
  }
 Module: Linked to module rlm_expr
 Module: Instantiating expr
 Module: Linked to module rlm_expiration
 Module: Instantiating expiration
  expiration {
    reply-message = "Password Has Expired  "
  }
 Module: Linked to module rlm_logintime
 Module: Instantiating logintime
  logintime {
    reply-message = "You are calling outside your allowed timespan  "
    minimum-timeout = 60
  }
 }
radiusd: #### Loading Virtual Servers ####
server inner-tunnel {
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_pap
 Module: Instantiating pap
  pap {
    encryption_scheme = "auto"
    auto_header = no
  }
 Module: Linked to module rlm_chap
 Module: Instantiating chap
 Module: Linked to module rlm_mschap
 Module: Instantiating mschap
  mschap {
    use_mppe = yes
    require_encryption = no
    require_strong = no
    with_ntdomain_hack = no
  }
 Module: Linked to module rlm_pam
 Module: Instantiating pam
  pam {
    pam_auth = "radiusd"
  }
 Module: Linked to module rlm_unix
 Module: Instantiating unix
  unix {
    radwtmp = "/var/log/freeradius/radwtmp"
  }
 Module: Linked to module rlm_ldap
 Module: Instantiating ldap
  ldap {
    server = "localhost"
    port = 389
    password = "pPWSrf5"
    identity = "cn=admin,dc=tcsvo,dc=local"
    net_timeout = 1
    timeout = 4
    timelimit = 3
    tls_mode = no
    start_tls = no
    tls_require_cert = "allow"
   tls {
    start_tls = yes
    require_cert = "allow"
   }
    basedn = "dc=tcsvo,dc=local"
    filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
    base_filter = "(objectclass=radiusprofile)"
    password_attribute = "sambaLmPassword,sambaNtPassword"
    auto_header = no
    access_attr = "uid"
    access_attr_used_for_allow = yes
    groupname_attribute = "cn"
    groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
    dictionary_mapping = "/etc/freeradius/ldap.attrmap"
    ldap_debug = 0
    ldap_connections_number = 5
    compare_check_items = no
    do_xlat = yes
    edir_account_policy_check = no
    set_auth_type = yes
  }
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP userPassword mapped to RADIUS Cleartext-Password
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
conns: 0x18a2540
 Module: Linked to module rlm_eap
 Module: Instantiating eap
  eap {
    default_eap_type = "md5"
    timer_expire = 60
    ignore_unknown_eap_types = no
    cisco_accounting_username_bug = no
  }
 Module: Linked to sub-module rlm_eap_md5
 Module: Instantiating eap-md5
 Module: Linked to sub-module rlm_eap_leap
 Module: Instantiating eap-leap
 Module: Linked to sub-module rlm_eap_gtc
 Module: Instantiating eap-gtc
   gtc {
    challenge = "Password: "
    auth_type = "PAP"
   }
 Module: Linked to sub-module rlm_eap_tls
 Module: Instantiating eap-tls
   tls {
    rsa_key_exchange = no
    dh_key_exchange = yes
    rsa_key_length = 512
    dh_key_length = 512
    verify_depth = 0
    pem_file_type = yes
    private_key_file = "/etc/freeradius/certs/private.key"
    certificate_file = "/etc/freeradius/certs/cert.pem"
    CA_file = "/etc/freeradius/certs/CAcert.pem"
    private_key_password = "whatever"
    dh_file = "/etc/freeradius/certs/dh"
    random_file = "/etc/freeradius/certs/random"
    fragment_size = 1024
    include_length = yes
    check_crl = no
    cipher_list = "DEFAULT"
    make_cert_command = "/etc/freeradius/certs/bootstrap"
   }
 Module: Linked to sub-module rlm_eap_ttls
 Module: Instantiating eap-ttls
   ttls {
    default_eap_type = "md5"
    copy_request_to_tunnel = no
    use_tunneled_reply = no
    virtual_server = "inner-tunnel"
   }
 Module: Linked to sub-module rlm_eap_peap
 Module: Instantiating eap-peap
   peap {
    default_eap_type = "mschapv2"
    copy_request_to_tunnel = no
    use_tunneled_reply = no
    proxy_tunneled_request_as_eap = yes
    virtual_server = "inner-tunnel"
   }
 Module: Linked to sub-module rlm_eap_mschapv2
 Module: Instantiating eap-mschapv2
   mschapv2 {
    with_ntdomain_hack = no
   }
 Module: Checking authorize {...} for more modules to load
 Module: Linked to module rlm_realm
 Module: Instantiating suffix
  realm suffix {
    format = "suffix"
    delimiter = "@"
    ignore_default = no
    ignore_null = no
  }
 Module: Linked to module rlm_files
 Module: Instantiating files
  files {
    usersfile = "/etc/freeradius/users"
    acctusersfile = "/etc/freeradius/acct_users"
    preproxy_usersfile = "/etc/freeradius/preproxy_users"
    compat = "no"
  }
 Module: Checking session {...} for more modules to load
 Module: Linked to module rlm_radutmp
 Module: Instantiating radutmp
  radutmp {
    filename = "/var/log/freeradius/radutmp"
    username = "%{User-Name}"
    case_sensitive = yes
    check_with_nas = yes
    perm = 384
    callerid = yes
  }
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 Module: Linked to module rlm_attr_filter
 Module: Instantiating attr_filter.access_reject
  attr_filter attr_filter.access_reject {
    attrsfile = "/etc/freeradius/attrs.access_reject"
    key = "%{User-Name}"
  }
 }
}
server {
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Checking authorize {...} for more modules to load
 Module: Linked to module rlm_preprocess
 Module: Instantiating preprocess
  preprocess {
    huntgroups = "/etc/freeradius/huntgroups"
    hints = "/etc/freeradius/hints"
    with_ascend_hack = no
    ascend_channels_per_line = 23
    with_ntdomain_hack = no
    with_specialix_jetstream_hack = no
    with_cisco_vsa_hack = no
    with_alvarion_vsa_hack = no
  }
 Module: Checking preacct {...} for more modules to load
 Module: Linked to module rlm_acct_unique
 Module: Instantiating acct_unique
  acct_unique {
    key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
  }
 Module: Checking accounting {...} for more modules to load
 Module: Linked to module rlm_detail
 Module: Instantiating detail
  detail {
    detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
    header = "%t"
    detailperm = 384
    dirperm = 493
    locking = no
    log_packet_header = no
  }
 Module: Instantiating attr_filter.accounting_response
  attr_filter attr_filter.accounting_response {
    attrsfile = "/etc/freeradius/attrs.accounting_response"
    key = "%{User-Name}"
  }
 Module: Checking session {...} for more modules to load
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 }
}
radiusd: #### Opening IP addresses and Ports ####
listen {
    type = "auth"
    ipaddr = *
    port = 0
}
listen {
    type = "acct"
    ipaddr = *
    port = 0
}
main {
    snmp = no
    smux_password = ""
    snmp_write_access = no
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.


and here is the inner-tunnel:

root@srtcsvo04:/etc/univention/ssl# cat /etc/freeradius/sites-enabled/inner-tunnel
# -*- text -*-
######################################################################
#
#    This is a virtual server that handles *only* inner tunnel
#    requests for EAP-TTLS and PEAP types.
#
#    $Id: inner-tunnel,v 1.6 2008/03/29 21:33:12 aland Exp $
#
######################################################################

server inner-tunnel {

#
#  Un-comment the next section to perform test on the inner tunnel
#  without needing an outer tunnel session.  The tests will not be
#  exactly the same as when TTLS or PEAP are used, but they will
#  be close enough for many tests.
#
#listen {
#       ipaddr = 127.0.0.1
#       port = 18120
#       type = auth
#}


#  Authorization. First preprocess (hints and huntgroups files),
#  then realms, and finally look in the "users" file.
#
#  The order of the realm modules will determine the order that
#  we try to find a matching realm.
#
#  Make *sure* that 'preprocess' comes before any realm if you
#  need to setup hints for the remote radius server
authorize {
    #
    #  The chap module will set 'Auth-Type := CHAP' if we are
    #  handling a CHAP request and Auth-Type has not already been set
    chap

    #
    #  If the users are logging in with an MS-CHAP-Challenge
    #  attribute for authentication, the mschap module will find
    #  the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
    #  to the request, which will cause the server to then use
    #  the mschap module for authentication.
    mschap

    #
    #  Pull crypt'd passwords from /etc/passwd or /etc/shadow,
    #  using the system API's to get the password.  If you want
    #  to read /etc/passwd or /etc/shadow directly, see the
    #  passwd module, above.
    #
    unix

    #
    #  Look for IPASS style 'realm/', and if not found, look for
    #  '@realm', and decide whether or not to proxy, based on
    #  that.
#    IPASS

    #
    #  If you are using multiple kinds of realms, you probably
    #  want to set "ignore_null = yes" for all of them.
    #  Otherwise, when the first style of realm doesn't match,
    #  the other styles won't be checked.
    #
    #  Note that proxying the inner tunnel authentication means
    #  that the user MAY use one identity in the outer session
    #  (e.g. "anonymous", and a different one here
    #  (e.g. "user@example.com").  The inner session will then be
    #  proxied elsewhere for authentication.  If you are not
    #  careful, this means that the user can cause you to forward
    #  the authentication to another RADIUS server, and have the
    #  accounting logs *not* sent to the other server.  This makes
    #  it difficult to bill people for their network activity.
    #
    suffix
#    ntdomain

    #
    #  The "suffix" module takes care of stripping the domain
    #  (e.g. "@example.com") from the User-Name attribute, and the
    #  next few lines ensure that the request is not proxied.
    #
    #  If you want the inner tunnel request to be proxied, delete
    #  the next few lines.
    #
    update control {
           Proxy-To-Realm := LOCAL
    }

    #
    #  This module takes care of EAP-MSCHAPv2 authentication.
    #
    #  It also sets the EAP-Type attribute in the request
    #  attribute list to the EAP type from the packet.
    #
    #  The example below uses module failover to avoid querying all
    #  of the following modules if the EAP module returns "ok".
    #  Therefore, your LDAP and/or SQL servers will not be queried
    #  for the many packets that go back and forth to set up TTLS
    #  or PEAP.  The load on those servers will therefore be reduced.
    #
    eap {
        ok = return
    }

    #
    #  Read the 'users' file
    files

    #
    #  Look in an SQL database.  The schema of the database
    #  is meant to mirror the "users" file.
    #
    #  See "Authorization Queries" in sql.conf
#    sql

    #
    #  If you are using /etc/smbpasswd, and are also doing
    #  mschap authentication, the un-comment this line, and
    #  configure the 'etc_smbpasswd' module, above.
#    etc_smbpasswd

    #
    #  The ldap module will set Auth-Type to LDAP if it has not
    #  already been set
    ldap

    #
    #  Enforce daily limits on time spent logged in.
#    daily

    #
    # Use the checkval module
#    checkval

    expiration
    logintime

    #
    #  If no other module has claimed responsibility for
    #  authentication, then try to use PAP.  This allows the
    #  other modules listed above to add a "known good" password
    #  to the request, and to do nothing else.  The PAP module
    #  will then see that password, and use it to do PAP
    #  authentication.
    #
    #  This module should be listed last, so that the other modules
    #  get a chance to set Auth-Type for themselves.
    #
    pap
}


#  Authentication.
#
#
#  This section lists which modules are available for authentication.
#  Note that it does NOT mean 'try each module in order'.  It means
#  that a module from the 'authorize' section adds a configuration
#  attribute 'Auth-Type := FOO'.  That authentication type is then
#  used to pick the apropriate module from the list below.
#

#  In general, you SHOULD NOT set the Auth-Type attribute.  The server
#  will figure it out on its own, and will do the right thing.  The
#  most common side effect of erroneously setting the Auth-Type
#  attribute is that one authentication method will work, but the
#  others will not.
#
#  The common reasons to set the Auth-Type attribute by hand
#  is to either forcibly reject the user, or forcibly accept him.
#
authenticate {
    #
    #  PAP authentication, when a back-end database listed
    #  in the 'authorize' section supplies a password.  The
    #  password can be clear-text, or encrypted.
    Auth-Type PAP {
        pap
    }

    #
    #  Most people want CHAP authentication
    #  A back-end database listed in the 'authorize' section
    #  MUST supply a CLEAR TEXT password.  Encrypted passwords
    #  won't work.
    Auth-Type CHAP {
        chap
    }

    #
    #  MSCHAP authentication.
    Auth-Type MS-CHAP {
        mschap
    }

    #
    #  Pluggable Authentication Modules.
    pam

    #
    #  See 'man getpwent' for information on how the 'unix'
    #  module checks the users password.  Note that packets
    #  containing CHAP-Password attributes CANNOT be authenticated
    #  against /etc/passwd!  See the FAQ for details.
    # 
    unix

    # Uncomment it if you want to use ldap for authentication
    #
    # Note that this means "check plain-text password against
    # the ldap database", which means that EAP won't work,
    # as it does not supply a plain-text password.
    Auth-Type LDAP {
        ldap
    }

    #
    #  Allow EAP authentication.
    eap
}

######################################################################
#
#    There are no accounting requests inside of EAP-TTLS or PEAP
#    tunnels.
#
######################################################################


#  Session database, used for checking Simultaneous-Use. Either the radutmp
#  or rlm_sql module can handle this.
#  The rlm_sql module is *much* faster
session {
    radutmp

    #
    #  See "Simultaneous Use Checking Queries" in sql.conf
#    sql
}


#  Post-Authentication
#  Once we KNOW that the user has been authenticated, there are
#  additional steps we can take.
post-auth {
    # Note that we do NOT assign IP addresses here.
    # If you try to assign IP addresses for EAP authentication types,
    # it WILL NOT WORK.  You MUST use DHCP.

    #
    #  If you want to have a log of authentication replies,
    #  un-comment the following line, and the 'detail reply_log'
    #  section, above.
#    reply_log

    #
    #  After authenticating the user, do another SQL query.
    #
    #  See "Authentication Logging Queries" in sql.conf
#    sql

    #
    #  Instead of sending the query to the SQL server,
    #  write it into a log file.
    #
#    sql_log

    #
    #  Un-comment the following if you have set
    #  'edir_account_policy_check = yes' in the ldap module sub-section of
    #  the 'modules' section.
    #
    ldap

    #
    #  Access-Reject packets are sent through the REJECT sub-section of the
    #  post-auth section.
    #
    #  Add the ldap module name (or instance) if you have set
    #  'edir_account_policy_check = yes' in the ldap module configuration
    #
    Post-Auth-Type REJECT {
        attr_filter.access_reject
    }

    #
    #  The example policy below updates the outer tunnel reply
    #  (usually Access-Accept) with the User-Name from the inner
    #  tunnel User-Name.  Since this section is processed in the
    #  context of the inner tunnel, "request" here means "inner
    #  tunnel request", and "outer.reply" means "outer tunnel
    #  reply attributes".
    #
    #  This example is most useful when the outer session contains
    #  a User-Name of "anonymous@....", or a MAC address.  If it
    #  is enabled, the NAS SHOULD use the inner tunnel User-Name
    #  in subsequent accounting packets.  This makes it easier to
    #  track user sessions, as they will all be based on the real
    #  name, and not on "anonymous".
    #
    #  The problem with doing this is that it ALSO exposes the
    #  real user name to any intermediate proxies.  People use
    #  "anonymous" identifiers outside of the tunnel for a very
    #  good reason: it gives them more privacy.  Setting the reply
    #  to contain the real user name removes ALL privacy from
    #  their session.
    #
    #  If you want privacy to remain, see the
    #  Chargeable-User-Identity attribute from RFC 4372.  In order
    #  to use that attribute, you will have to allocate a
    #  per-session identifier for the user, and store it in a
    #  long-term database (e.g. SQL).  You should also use that
    #  attribute INSTEAD of the configuration below.
    #
    #update outer.reply {
    #    User-Name = "%{request:User-Name}"
    #}

}

#
#  When the server decides to proxy a request to a home server,
#  the proxied request is first passed through the pre-proxy
#  stage.  This stage can re-write the request, or decide to
#  cancel the proxy.
#
#  Only a few modules currently have this method.
#
pre-proxy {
#    attr_rewrite

    #  Uncomment the following line if you want to change attributes
    #  as defined in the preproxy_users file.
#    files

    #  Uncomment the following line if you want to filter requests
    #  sent to remote servers based on the rules defined in the
    #  'attrs.pre-proxy' file.
#    attr_filter.pre-proxy

    #  If you want to have a log of packets proxied to a home
    #  server, un-comment the following line, and the
    #  'detail pre_proxy_log' section, above.
#    pre_proxy_log
}

#
#  When the server receives a reply to a request it proxied
#  to a home server, the request may be massaged here, in the
#  post-proxy stage.
#
post-proxy {

    #  If you want to have a log of replies from a home server,
    #  un-comment the following line, and the 'detail post_proxy_log'
    #  section, above.
#    post_proxy_log

#    attr_rewrite

    #  Uncomment the following line if you want to filter replies from
    #  remote proxies based on the rules defined in the 'attrs' file.
#    attr_filter.post-proxy

    #
    #  If you are proxying LEAP, you MUST configure the EAP
    #  module, and you MUST list it here, in the post-proxy
    #  stage.
    #
    #  You MUST also use the 'nostrip' option in the 'realm'
    #  configuration.  Otherwise, the User-Name attribute
    #  in the proxied request will not match the user name
    #  hidden inside of the EAP packet, and the end server will
    #  reject the EAP request.
    #
    eap

    #
    #  If the server tries to proxy a request and fails, then the
    #  request is processed through the modules in this section.
    #
    #  The main use of this section is to permit robust proxying
    #  of accounting packets.  The server can be configured to
    #  proxy accounting packets as part of normal processing.
    #  Then, if the home server goes down, accounting packets can
    #  be logged to a local "detail" file, for processing with
    #  radrelay.  When the home server comes back up, radrelay
    #  will read the detail file, and send the packets to the
    #  home server.
    #
    #  With this configuration, the server always responds to
    #  Accounting-Requests from the NAS, but only writes
    #  accounting packets to disk if the home server is down.
    #
#    Post-Proxy-Type Fail {
#            detail
#    }

}

} # inner-tunnel server block


Thanks for your help.



Am 09/11/2012 09:27 AM, schrieb Fajar A. Nugraha:
On Tue, Sep 11, 2012 at 2:13 PM, Mihajlo Joksimovic
<mihajlo.joksimovic@adfinis-sygroup.ch> wrote:
well i cannot update the installation because its an univention
installation.
Then ask them for help.

i activated the sections in inner-tunnel like that.
(sigh)

had you provided full debug log, we'd be able to see whether or not FR
REALLY picks up the inner tunnel. But you didn't provide that.

and radlogin will
connect properly to ldap. when someone wants to connect via access
point, it is not possible...



 authorize {
...
    #
        #  The ldap module will set Auth-Type to LDAP if it has not
        #  already been set
        ldap
...
}

your debug log contradicts your statement. Either you did not have it
in inner tunnel, or your default virtual server is broken so that it
DOESN'T use inner tunnel.

authenticate {
...
        # Uncomment it if you want to use ldap for authentication
        #
        # Note that this means "check plain-text password against
        # the ldap database", which means that EAP won't work,
        # as it does not supply a plain-text password.
        Auth-Type LDAP {
                ldap
        }
If you store passwords as plain text, you won't need that.

If you REALLY want to solve your problem, then listen to the
suggestions. If you can't upgrade your current server, then at least
setup a NEW server for testing purposes. Do what Phil suggests: Start
with a default config. Make small changes. Check each successful
config into version control.

That way you can know where the problem is. If it's a bug in
univention package version or config file, then ask them. The default
FR setup should work with minimal changes.


-- 
Adfinis SyGroup AG
Mihajlo Joksimovic, System Engineer

Güterstrasse 86 | CH-4053 Basel
Tel. 061 333 80 33