FreeRADIUS 3.0.12 + openLDAP + Apple access point?
Alan DeKok
aland at deployingradius.com
Wed Dec 6 14:27:15 CET 2017
On Dec 6, 2017, at 8:20 AM, Tobias Balle-Petersen <tobiasbp at gmail.com> wrote:
> At the dawn of time, I set up a FreeRADIUS 2.x server with an openLDAP
> backend for use with my Apple access points. This has worked for years.
That's common. I've seen people with installations that are 10+ years old. If it works... why change it?
> I am now trying to make the same confuguration with FreeRADIUS 3.0.12 in a
> FreeBSD jail. Unfortunately, I can not make it work.
Follow the guide:
http://deployingradius.com/documents/configuration/eap.html
And test the "inner-tunnel" first. Read the comments at the start of that file for more details.
> I have pasted the lengthy log of a failed attempt here:
> https://pastebin.com/CLqegYRe
>
> It looks to me like this is where it goes wrong:
...
> (18) pap: WARNING: Auth-Type already set. Not setting to PAP
> (18) [pap] = noop
> (18) } # authorize = updated
> (18) Found Auth-Type = Reject
> (18) Auth-Type = Reject, rejecting user
That means the "Auth-Type = Reject" was set somewhere long before that message is printed. Read the *rest* of the log to look for Reject, or something that might set it.
Specifically:
> (8) files: users: Matched entry DEFAULT at line 63
As ALWAYS, the default configuration works. Install it, add a user, configure a cert, and EAP for WiFi *will* work.
Many people start mashing all kinds of things into the config without testing. Then, after a few days of editing, it doesn't work. Since they *never* tested it, it never worked, and they have no idea where it went from "working" to "not working".
Take a methodical approach to changing the configuration. And *test* it every time you make a change. This is all documented in "man radiusd".
Alan DeKok.
More information about the Freeradius-Users
mailing list