freeradius-proxy + PAP works, PEAP and the rest doesn´t

Ivan Kalik tnt at kalik.net
Thu Jul 3 18:29:56 CEST 2008 

If pap works and peap (mschap) doesn't the reason is usually that the
passwords kept on the home server are encrypted.

If they are nothing apart from changing the passwords to cleartext ones
will make peap, mschap or chap work. You will be able to get
EAP-TTLS/PAP to work.

Ivan Kalik
Kalik Informatika ISP


Dana 3/7/2008, "uni at christiankraus.de" <uni at christiankraus.de> piše:

>>> - External users should be able to login on WLAN via 802.1X with
>>> MSCHAPv2/PEAP in Windows XP.
>
>>  That's relatively easy.  In 2.0, just install it, configure a
>>user/password (see the FAQ), start it in debug mode as root, and
>>un-check "validate server certificate" on the Windows box.
>
>Well, this is already running with internal user. Those are correctly proxied to the local internal Radius Server.
>Also they don´t have to uncheck the "validate server certificate" They can authenticate it against against an valid CA. There everything runs great. The problem exists with external customers that are proxied to another one.
>
>
>>> When using local radtest to verify the user, everything looks okay. >>But as
>>> soon I take a windows client, properly configured, or the >>radeapclient, it
>>> doesn´t work.
>>> 
>>> Here is the output from radius -X.
>>> It is 1.1.7, but the same errors occur on version 2.0.5:
>>Don't run 1.1.7.  Honest.
>
>Well I tried 2.0.5 first, then I switched to 1.1.7 just for testing. Both don´t work.
>
>>> #/This message appears about 2000+ times
>>><shrug>  It's 1.1.7.
>
>Well, the output from radius -X had 17,5MB of size...
>
>
>>> rad_recv: Access-Reject packet from host 139.212.22.110:1812, id=1,
>>> length=40
>>> Reply-Message = "Request Denied"
>>> Proxy-State = 0x3931
>>So... the home server is rejecting the user.
>>Have you run the home server in debug mode to see what it's doing, and
>>why it's rejecting the request?  If not, why not?  Is it even >FreeRADIUS?
>
>Well, I do not have any influence on that home server on my own. But...
>
>>>My guess is that the home server cannot do EAP.  If so, why are you
>>>"going crazy with freeradius"?  You're blaming the proxy for the >>actionsof the home server.
>
>...
>
>>>Go fix the home server to do EAP.  If you can't make it do EAP, throw
>>>it away, and replace it with FreeRADIUS.
>
>... that Radius Server is an FreeRadius server. I called the administrator of it. And it is running great with all other Radius server within the rest of the "sharing WLAN access" community.
>It is in fact running now for years.
>
>So, must be another error, I guess?
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list