EAP fails when proxying to a realm
Phil Mayers
p.mayers at imperial.ac.uk
Thu Jun 28 18:49:31 CEST 2012
On 28/06/12 17:33, Christopher Manigan wrote:
> I am trying to use MSCHAPv2 to authenticate users. This works ok, except when I try to proxy to a realm. Pasted below is the debug of a user trying to authenticate. The realm is a prefix of the username. What I see buried in the debug is:
>
>
> # radiusd -X
> FreeRADIUS Version 2.1.11, for host i686-pc-linux-gnu, built on Jun 28 2012 at 11:37:39
Upgrade to 2.1.12 if possible
> Sending Access-Request of id 22 to 127.0.0.1 port 1812
Why on earth are you proxying back to yourself, to the same virtual
server no less?
I suspect this is confusing the server, since it fails inside the
handler further down.
> [eap] Identity does not match User-Name, setting from EAP Identity.
You are rewriting the username. This doesn't work with EAP. Don't do that.
If you need to strip realms etc. use "Stripped-User-Name". Leave the
original username alone.
> [eap] Failed in handler
> ++[eap] returns invalid
> Failed to authenticate the user.
More information about the Freeradius-Users
mailing list