Yet another multiple SSID setup question
Nick Kartsioukas
lists.freeradius at change.nightwind.net
Fri Jul 15 02:13:47 CEST 2011
Okay, I've gotten a bit further, but I'm still not grasping something in
the process flow from authorization to authentication and EAP outer and
inner methods.
I'll paste relevant chunks of my authorize, authenticate, and eap config
sections below. The conditional switch statement is working properly
and matching my SSID (I do have other statements there, I just chopped
them out here for brevity), the LDAP lookup is working properly and
granting me authorization, but when it goes to EAP to perform
authentication it seems like it never gets to the inner MSCHAPv2 auth
and eventually fails.
ERROR: No authenticate method (Auth-Type) found for the request:
Rejecting the user
Failed to authenticate the user.
Login incorrect: [nicholas_kartsioukas] (from client slo-wlc1 port 0 via
TLS tunnel)
} # server
[peap] Got tunneled reply code 3
[peap] Got tunneled reply RADIUS code 3
[peap] Tunneled authentication was rejected.
[peap] FAILURE
I've attached the full debug log. Hopefully someone can point me in the
right direction? Thanks!
authorize {
preprocess
auth_log
rewrite_called_station_id
switch Called-Station-Ssid {
case "test" {
redundant-load-balance {
ldap_parrotfish
ldap_prawn
ldap_pike
}
update control {
Auth-Type = CUESTA
}
}
}
files
expiration
logintime
}
authenticate {
Auth-Type CUESTA {
eap_cuesta
mschap_cuesta
}
}
eap eap_cuesta {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_file =
/etc/ssl/private/webauth.cuesta.edu.key
certificate_file =
/etc/ssl/certs/webauth.cuesta.edu.cert
CA_file =
/etc/ssl/certs/thawte_ssl_webserver_intermediate_cert.crt
dh_file = ${certdir}/dh
random_file = /dev/urandom
CA_path = /etc/ssl/certs
cipher_list = "DEFAULT"
cache {
enable = no
lifetime = 24 # hours
max_entries = 255
}
verify {
}
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no
}
peap {
default_eap_type = mschapv2
# the PEAP module also has these configuration
# items, which are the same as for TTLS.
copy_request_to_tunnel = no
use_tunneled_reply = no
}
mschapv2 {
}
}
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: debuglog.txt
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110714/fb86fc27/attachment.txt>
More information about the Freeradius-Users
mailing list