Switch sends EAP-Fail after Radius Access-Accept

Matthew Newton mcn4 at leicester.ac.uk
Thu Aug 6 02:40:16 CEST 2015


On Wed, Aug 05, 2015 at 01:40:47PM -0400, Preyas Kamath wrote:
> rad_recv: Access-Request packet from host 10.1.2.12 port 1645, id=86,
> length=158
>         User-Name = "anonymous"
>         Service-Type = Framed-User
>         Framed-MTU = 1500
>         Called-Station-Id = "24-B6-57-D3-2C-8C"
>         Calling-Station-Id = "5C-B9-01-B2-4A-15"
>         EAP-Message = 0x0201000e01616e6f6e796d6f7573

EAP request...

> # Executing section authorize from file /etc/raddb/small.conf
> +- entering group authorize {...}
> ++[control] returns notfound
> Found Auth-Type = Accept
> Auth-Type = Accept, accepting the user

...but you never called the eap module...

> Login OK: [anonymous/<via Auth-Type = Accept>] (from client 10.1.2.12 port
> 50112 cli 5C-B9-01-B2-4A-15)
>   WARNING: Empty post-auth section.  Using default return values.
> Sending Access-Accept of id 86 to 10.1.2.12 port 1645

...so the server didn't send any EAP response.

How did you expect the switch to send an EAP-Success, if you
didn't send one back from the server? Access-Accept alone isn't
enough with EAP - the EAP transaction has to succeed as well.

Start from the default config, and then tweak that if it doesn't
work, rather than stripping everything out and wondering why it's
broken.

Matthew


-- 
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>


More information about the Freeradius-Users mailing list