radlogin works, mobile device not

Fajar A. Nugraha list at fajar.net
Tue Sep 11 11:06:07 CEST 2012


On Tue, Sep 11, 2012 at 3:54 PM, Mihajlo Joksimovic
<mihajlo.joksimovic at adfinis-sygroup.ch> wrote:

> IPhone test:
> rad_recv: Access-Request packet from host 10.119.12.2 port 1318, id=21,
> length=197
>     Message-Authenticator = 0x24691ccd1f2040d828405d72ef7189ec
>
>     Service-Type = Framed-User
>     User-Name = "nadine.bosshard"
>     Framed-MTU = 1488
>     Called-Station-Id = "204E7FE98EF3:TCSVO-Intern"
>     Calling-Station-Id = "9803D861E85C"
>     NAS-Identifier = "aptcsvo02"
>     NAS-Port-Type = Wireless-802.11
>     Connect-Info = "CONNECT 54Mbps 802.11g"
>     EAP-Message = 0x02000014016e6164696e652e626f737368617264
>     NAS-IP-Address = 10.119.12.2
>     NAS-Port = 1
>     NAS-Port-Id = "STA port # 1"
> +- entering group authorize
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
>     rlm_realm: No '@' in User-Name = "nadine.bosshard", looking up realm
> NULL
>     rlm_realm: No such realm "NULL"
> ++[suffix] returns noop
>   rlm_eap: EAP packet type response id 0 length 20
>   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation

There should be other lines before that. Like the ones that says it's
using inner-tunnel?


> rlm_unix: [nadine.bosshard]: invalid shell [/bin/false]
> ++[unix] returns reject

Did you read that line? You have "unix" in authorize section of inner
tunnel. And user nadine.bosshard is not allowed to login to the system
(invalid shell). FR does the right thing. Comment-out that line in
inner tunnel.

Your radlogin test succeed because you don't have "unix" in authorize
section of default virtual server.


See how important complete debug logs are?

... and seriously, upgrade. There are many known bugs fixed since
2.0.x. And if you can edit the configuration freely by hand, you
should be able to upgrade.

-- 
Fajar


More information about the Freeradius-Users mailing list