Hi Alan I have a number of XP and Windows 2K wifi clients to Proxim AP700 AP's using FreeRADIUS on Fedora C4 These use eap peap mschapv2 The system works well on ver 1.0.2 using usernames/passwords in the users file or by configuring LDAP and using a LDAP database, and logs to mysql I now need to authenticate by proxy to a legacy SteelBelted radius server capable of PAP,CHAP and MSCHAPv2 but not able to support EAP I configured the proxy.conf for the realm wifi (with nostrip) and I can communicate with the legacy server, it sends back a reject due to not supporting EAP I therefore need to terminate EAP on Freeradius and pass on the MSchapv2 to the proxy server Having read all I can on early termination of EAP I added the LOCAL realm realm LOCAL { type = radius authhost = LOCAL accthost = LOCAL } I have added 2 lines to the users file DEFAULT FreeRADIUS-Proxied-To !* 127.0.0.1, Proxy-To-Realm := LOCAL, Auth-Type = EAP (line 167) DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Proxy-To-Realm := wifi (line 168) The first line (at line 167) causes the proxy to be cancelled and the eap is handled locally, it gets to the mschapv2 part matched (at line 168) It appears as if its going to send the request to wifi, with no EAP, then it stops. The AP then retries the request, with the same result. This seems to be due to WARNING: Cancelling proxy to Realm LOCAL, as the realm is local rather than proxying only the mschapv2 to wifi I have upgraded to v 1.0.5 I still get the same results Authorise and accounting in radiusd.conf has EAP and mschap Is it possible ? I have researched from your site as much as possible before asking, Am I missing a configuration option? Your help would be much appreciated, Thanks Andy. eap.conf eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/cert-srv.pem certificate_file = ${raddbdir}/certs/cert-srv.pem CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random include_length = yes # check_crl = yes # check_cert_cn = %{User-Name} } # peap { default_eap_type = mschapv2 proxy_tunneled_request_as_eap = no } mschapv2 { } } Listening on authentication *:1812 Listening on accounting *:1813 Listening on proxy *:1814 Ready to process requests. rad_recv: Access-Request packet from host 172.24.2.10:6001, id=40, length=154 User-Name = "andygoy@wifi" NAS-IP-Address = 172.24.2.10 Called-Station-Id = "00-20-a6-56-3a-4a:XXHOTSPOTFC1" Calling-Station-Id = "00-13-ce-0e-f5-c6" NAS-Identifier = "XX-HOTSPOT-1" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0202001101616e6479676f794077696669 Message-Authenticator = 0x206d804b1c31514e5743b1c03efdfcaf Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 radius_xlat: '/etc/var/log/radius/radacct/172.24.2.10/auth-detail-20051230' rlm_detail: /etc/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /etc/var/log/radius/radacct/172.24.2.10/auth-detail-20051230 modcall[authorize]: module "auth_log" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 rlm_realm: Looking up realm "wifi" for User-Name = "andygoy@wifi" rlm_realm: Found realm "wifi" rlm_realm: Proxying request from user andygoy to realm wifi rlm_realm: Adding Realm = "wifi" rlm_realm: Preparing to proxy authentication request to realm "wifi" modcall[authorize]: module "suffix" returns updated for request 0 rlm_eap: Request is supposed to be proxied to Realm wifi. Not doing EAP. modcall[authorize]: module "eap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 users: Matched entry DEFAULT at line 167 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 WARNING: You set Proxy-To-Realm = LOCAL, but it is a LOCAL realm! Cancelling invalid proxy request. rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 WARNING: Cancelling proxy to Realm LOCAL, as the realm is local Sending Access-Challenge of id 40 to 172.24.2.10 port 6001 EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0b7df43e9fc35a77966d3c95bb99a754 Finished request 0 Going to the next request etc etc----------------------------------------------------------------------- rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Setting User-Name to andygoy@wifi PEAP: Adding old state with 0e aa Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 radius_xlat: '/etc/var/log/radius/radacct/127.0.0.1/auth-detail-20051230' rlm_detail: /etc/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /etc/var/log/radius/radacct/127.0.0.1/auth-detail-20051230 modcall[authorize]: module "auth_log" returns ok for request 6 modcall[authorize]: module "chap" returns noop for request 6 rlm_realm: Looking up realm "wifi" for User-Name = "andygoy@wifi" rlm_realm: Found realm "wifi" rlm_realm: Proxying request from user andygoy to realm wifi rlm_realm: Adding Realm = "wifi" rlm_realm: Preparing to proxy authentication request to realm "wifi" modcall[authorize]: module "suffix" returns updated for request 6 rlm_eap: Request is supposed to be proxied to Realm wifi. Not doing EAP. modcall[authorize]: module "eap" returns noop for request 6 modcall[authorize]: module "mschap" returns noop for request 6 users: Matched entry DEFAULT at line 168 modcall[authorize]: module "files" returns ok for request 6 modcall: leaving group authorize (returns updated) for request 6 PEAP: Calling authenticate in order to initiate tunneled EAP session. Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Not-EAP proxy set. Not composing EAP modcall[authenticate]: module "eap" returns handled for request 6 modcall: leaving group authenticate (returns handled) for request 6 PEAP: Tunneled authentication will be proxied to wifi PEAP: Remembering to do EAP-MS-CHAP-V2 post-proxy. Tunneled session will be proxied. Not doing EAP. modcall[authenticate]: module "eap" returns handled for request 6 modcall: leaving group authenticate (returns handled) for request 6 WARNING: Cancelling proxy to Realm LOCAL, as the realm is local Finished request 6 Going to the next request Waking up in 4 seconds... rad_recv: Access-Request packet from host 172.24.2.10:6001, id=46, length=249 The content of this e-mail and any attachment is private and may be legally privileged. If you are not the intended recipient, any use, disclosure, copying or forwarding of this e-mail and/or its attachments is unauthorised. If you have received this e-mail in error please notify the sender by e- mail and delete this message and any attachments immediately from this system. Kingston Communications (HULL) PLC is a public limited company incorporated in England and Wales with registration number 02150618 and whose registered office is at 37 Carr Lane, Hull HU1 3RE