OK, I think I'm another step closer now. I made the suggested change and there was no change in the logs. EAP still was not being done on the local machine and was failing on the proxy. However, I tried creating a second domain, set the original domain to go to LOCAL and the second domain to go to the proxy server. When I do that the proxy properly authenticates to Open Directory, step one. However, eventually I get a failure in rlm_eap again. modcall: entering group authenticate for request 8 rlm_eap: Request not found in the list rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request rlm_eap: Failed in handler Am I on to the beginning of a solution by using two domains or do I need to go back and then change something else? Kerry Tobin
------------------------------
Message: 7 Date: Wed, 05 Nov 2008 00:07:50 +0100 From: <tnt@kalik.net> Subject: Re: Unable to authenticate to Open Directory To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Message-ID: <OVuOqjFE.1225840070.2492580.tnt@kalik.net> Content-Type: text/plain; charset=ISO-8859-2
I think we're back to what I had been trying to do on my test machines now and still can't seem to get working.
When I add "DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Proxy-To- Realm := DOMAIN" to users of the first server (I believe that's the correct place to put it). I get "rlm_eap: Request is supposed to be proxied to Realm DOMAIN. Not doing EAP." on the first server and the proxy server still says " rlm_eap: Identity does not match User-Name, setting from EAP Identity."
There is a setting proxy_tunneled_request_as_eap in peap section of eap.conf. Change that to no.
Ivan Kalik Kalik Informatika ISP
OK, I think I'm another step closer now. I made the suggested change and there was no change in the logs. EAP still was not being done on the local machine and was failing on the proxy. However, I tried creating a second domain, set the original domain to go to LOCAL and the second domain to go to the proxy server. When I do that the proxy properly authenticates to Open Directory, step one. However, eventually I get a failure in rlm_eap again.
modcall: entering group authenticate for request 8 rlm_eap: Request not found in the list rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request rlm_eap: Failed in handler
Am I on to the beginning of a solution by using two domains or do I need to go back and then change something else?
Can you post both debugs from the server that is terminating eap. You can start with the request before it decides to proxy (you can leave out eap-tls tunnel creation). Ivan Kalik Kalik Informatika ISP
participants (2)
-
Kerry Tobin -
tnt@kalik.net