Authentication issues with Win7 and WPA/WPA2 Enterprise
Simon L.
fantasnews at ki.tng.de
Tue May 24 16:58:29 CEST 2011
Phil Mayers schrieb:
> On 24/05/11 08:35, Simon L. wrote:
>> Phil Mayers schrieb:
>>> On 05/23/2011 06:53 PM, Simon L. wrote:
>>>
>>>> Please have a look at my new, attached debug log.
>>>
>>> The server you are proxying to sends a reject. Fix that server.
>>> -
>>>
>>
>> Why accepts the home server a proxied request from radtest but not from
>> a wpa supplicant.
>
> radtest sends (by default) a PAP request.
>
> WPA-Supplicant sends EAP.
>
>> The home server can not talk eap. as the log shows the proxy is not
>
> If the home server can't do EAP, how do you expect to proxy EAP to it?
>
> What is the home server?
Thats the point, i don't want to proxy eap to the other freeradius (home
server).
>
>> doing eap when it forwards a request. where is the difference?
>
> 802.1x requires EAP support at the radius server. If you are proxying
> the requests to another server, it requires EAP support there, too.
I thought "proxy_tunneled_request_as_eap = no" would proxy without eap.
so i did this:
eap.conf:
eap {
...
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = no
virtual_server = "proxy-inner-tunnel"
}
}
proxy-inner-tunnel:
server proxy-inner-tunnel {
authorize {
update control {
Proxy-To-Realm := NULL #I want to proxy realm NULL
}
}
authenticate {
eap
}
post-proxy {
eap
}
}
>
> It *may* be possible to terminate the EAP at FreeRADIUS, and send the
> inner EAP as non-EAP, but this is hack, and I strongly advise against
> it. This will only work for EAP-TTLS/PAP and EAP-PEAP/MSCHAP
the network between the two freeradius is not public or shared, so i
think that would be ok. My above solution proxied eap, but is your hack
just a old version ob my config?? I read several mails from last year,
where that problem is solved that way (more or less).
>
> If you want to do that, put the proxy config into
> sites-enabled/inner-tunnel,
do you mean from proxy.conf or proxy-inner-tunnel?
> and also see eap.conf:
>
> eap {
> peap {
> proxy_tunneled_request_as_eap = yes
> }
> }
i had set it to "no".
More information about the Freeradius-Users
mailing list