EAP through proxy not working

Alan DeKok aland at deployingradius.com
Tue Sep 6 16:49:26 CEST 2016

On Sep 6, 2016, at 10:22 AM, Scott McLane Gardner <sgardne at uark.edu> wrote:
> I am trying to proxy eap requests from my wireless users (Cisco 5500 controller) but I'm getting error messages. When I point the controller directly at the radius server and not the proxy, it works fine. 

  The proxy is misconfigured.  It's not just proxying, it's doing something else.

> Here's the debug from the back-end radius server, I can give the proxy debug too, if necessary. I'm sure the answer I'm  missing is somewhere in this section:

  You can't debug the proxy by looking at the back-end RADIUS server.

> <snip>
> (8) Found Auth-Type = EAP
> (8) # Executing group from file /etc/raddb/sites-enabled/default
> (8)   authenticate {
> rlm_eap (EAP): No EAP session matching state 0x8acdf80a8acffcab
> (8)  eap : Either EAP-request timed out OR EAP-response to an unknown EAP-request

  That shows that the back-end server is receiving packets after it thinks the EAP session is done.  Which indicates a problem with the proxy and/or NAS.

> Full debug here:

  No, that is *not* the full debug from the back-end RADIUS server.  It's debug from part-way through an EAP conversation.

  You need to look at the FULL EAP conversation to see what's going wrong.  i.e. from the START of the EAP conversation, where it does EAP-Identity.

  You also haven't said how you've configured the proxy.  This is important.  And it shouldn't be hard.  Configure the proxy to send packets to the back-end RADIUS... and it will work.

  The only reason it fails is that the proxy is mangling the packets when it shouldn't be.  So... what have you configured on the proxy?

  Alan DeKok.

More information about the Freeradius-Users mailing list