not sure what you've done - I've used FreeRADIUS with native radsec connectivity to proxy EAP to remote servers (RADIATOR and radsecproxy) and to receive EAP from the same remote proxies. Would suggest, as Alan had said, to grab debug and check what the server is doing. its all quite clear what its doing (dont be overwhelmed by all the output, just read it step by step...) - there will be some very ovbious difference between the EAP and your radtest - likely to be related to action of server when packet has gone into inner-tunnel (which, I'm guessing it shouldnt be doing as its supposed to be proxied to remote site......) alan On 13 July 2017 at 15:23, Alan DeKok <aland@deployingradius.com> wrote:
On Jul 13, 2017, at 9:46 AM, Luciano Fernandes da Rocha <luciano.rocha@rnp.br> wrote:
Briefly, our scenario has 3 servers with FreeRadius 3.0.14. 2 institutions (ufjfteste.br and rnpteste.br) and 1 FLR (.br). On the institution level we run RadSec (embedded TCP/TLS in FreeRadius3) to communicate with our FLR, a radsecproxy. So, using this TLS communication, EAP does not work, but turning off it and doing the communication between all servers using only UDP (disabling RadSec at institutions and radsecproxy at FLR), all EAP methods works.
Please be clearer about "it doesn't work". What happens? What does the debug say?
To confirm it, if we turn on the TLS communication, we could only authenticate using 'radtest' (as we know, a simple authentication without EAP).
We suspect that EAP messages are lost during the exchanging when TLS communication are enable.
The server doesn't lose EAP messages.
Do you have any ideia about it to help us?
Read the debug output. Or, post it to the list. Nothing else will help.
if it's too large to send on the list (~500K), send it to me off-list. Preferably gzip'd.
Set up a proxy which uses RadSec to talk to a home server. Set up the home server with test certs and a test user. Use wpa_supplicant to send packets to the proxy.
Then send ALL the debug output over.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html