Referencing a redundant-load-balance set within users file
tnt at kalik.net
tnt at kalik.net
Fri Nov 14 17:14:02 CET 2008
Change use_tunneled_reply to yes in peap section of eap.conf.
Ivan Kalik
Kalik Informatika ISP
Dana 14/11/2008, "Tod A. Sandman" <sandmant at rice.edu> piše:
>> Ivan Kalik wrote:
>>> Why don't you map that in ldap.attrmap?
>
>Thanks so much. I removed all LDAP settings from users, and I have
>TTLS-PAP working fine with redundant LDAP for authorization and
>Kerberos for Authentication.
>
>Now I can't get the only other mode we need: PEAP/MSChapv2. LDAP
>authorization is working fine, and the ntlm-auth authentication works
>fine, but required attributes are not being sent back in the
>Access-Accept packet.
>
>Unlike when I connect via TTLS-PAP, the Access-Accept does not include
>some required attributes. The debug output shows them getting set
>properly within sites-enabled/inner-tunnel and getting updated with
>"update outer.reply", but they get dropped before the Access-Accept
>packet.
>
>I haven't touched sites-enabled/default.
>
>I enabled ldap in sites-enabled/inner-tunnel, and afterwards I do
>an "update outer.reply", i.e.:,
>
> redundant-load-balance redundant_ldap {
> ldap1
> ldap2
> ldap3
> }
>
> update outer.reply {
> Cisco-AVPair := "%{reply:Connect-Info}"
> Class := "OU=%{reply:Connect-Info}"
> }
>
>and the debug output shows this working.
>
>But the Access-Accept does not include these attributes as it does
>when I use TTLS-PAP.
>
>I tried moving the "update outer.reply" to the post-auth section, but
>this did not help.
>
>My config is quite close to the default. The only PEAP related change
>I made was to update modules/mschap with the correct ntlm_auth line.
>
>Thanks for any ideas.
>
>
>
>Tod Sandman
>Sr. Systems Administrator
>Middleware Development & Integration
>Rice University
>
>
More information about the Freeradius-Users
mailing list