Proxied Access-Challenge requests are missing AVPs

Leonardo Arena rnalrd at gmail.com
Fri Sep 11 13:24:36 CEST 2015 

On ven, 2015-09-11 at 11:19 +0100, Arran Cudbard-Bell wrote:
> > On 11 Sep 2015, at 09:20, Leonardo Arena <rnalrd at gmail.com> wrote:
> > 
> > On gio, 2015-09-10 at 18:47 +0100, Arran Cudbard-Bell wrote:
> >>> On 10 Sep 2015, at 15:57, Leonardo Arena <rnalrd at gmail.com> wrote:
> >>> 
> >>> Hi list,
> >>> 
> >>> I have a FreeRADIUS 3.0.3 proxy which forward all Cisco WAPs
> >>> Wireless-802.11 authentication requests to a Windows NPS server. Clients
> >>> use PEAP to authenticate.
> >>> 
> >>> What I'm seeing is that the Access-Challenge from the NPS is forwarded
> >>> without any AVPs, and of course the WAP silently drops it.
> >>> 
> >>> Please find below the debug output and the relevant configuration files
> >>> attached.
> >>> 
> >>> Couldn't find really anything helpful in the ML archive.
> >>> 
> >>> Could you please give me any suggestion of what could be wrong?
> >> 
> >> Weird, unless you list a filter module in post-proxy the response should be forwarded.  You're using a very out of date version of v3.0.x though, try 3.0.9 and see if you still see the same issue.
> >> 
> > 
> > I'm using default attr-filter module (see below) and AFAICS it's used
> > only by inner-tunnel, and I don't have any post-proxy file.
> > 
> > I'll give a shot with 3.0.9 although with 3.0.4 clients.conf changed
> > syntax IIRC and that's why we stick with 3.0.3. Upgrading clients.conf
> > in 200+ installations does not look an attractive option. :)
> 
> clients.conf from 3.0.3 should be compatible with 3.0.9.  It'll just issue a few warnings.
> 

Unfortunately this does not seem to be case:

/etc/raddb# rc-service radiusd start
 * Caching service dependencies ... [ ok ]
 * /var/run/radiusd: correcting mode
 * /var/run/radiusd: correcting owner
 * Starting Freeradius ... * start-stop-daemon: failed to start
`/usr/sbin/radiusd'
 * Failed to start radiusd

[ !! ]
 * ERROR: radiusd failed to start

/etc/raddb# radiusd -X
[...]
/etc/raddb/clients.conf[1]: No 'ipaddr' or 'ipv4addr' or 'ipv6addr'
configuration directive found in client 127.0.0.1/8


Am I missing anything?

- leo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150911/ce13e21a/attachment.sig>

More information about the Freeradius-Users mailing list