eap: Freeradius proxy doesn't work with EAP PEAP auth

Alan DeKok aland at deployingradius.com
Wed Jul 5 16:23:05 CEST 2017


On Jul 5, 2017, at 9:12 AM, Danilo Raspa <danilo.raspa at gmail.com> wrote:
> When I try to connect by using the command "radtest" everything works
> perfectly, here the command: "radtest danilo.raspa at realm_example.com 1234
> 192.168.0.158 18120 password"

  That just tests username / password authentication.  It doesn't test anything else.

  Did you follow the instructions at the top of the "inner-tunnel" virtual server?  They describe how to do more detailed testing.

> The problem is that when I try to connect from my phone using EAP
> PEAP(using same danilo.raspa at realm_example.com/1234) I recieve an "Access
> Reject" message from the radius server (this is the error: "eap : Identity
> does not match User-Name, setting from EAP Identity").

  The debug log should say what's going on.

> Here are some other info:

  We don't ask for that information.  We don't need it.

> Log request from RADIUS PROXY:
> 
> 
> Received Access-Request Id 168 from 192.168.0.210:3126 to 192.168.0.158:1812
> length 168
> User-Name = 'danilo.raspa at realm_example.com'
> ..
> (0)  suffix : Looking up realm "realm_example.com" for User-Name = "
> danilo.raspa at realm_example.com"
> (0)  suffix : Found realm "realm_example.com"
> (0)  suffix : Adding Stripped-User-Name = "danilo.raspa"
> (0)  suffix : Adding Realm = "realm_example.com"
> (0)  suffix : Proxying request from user danilo.raspa to realm
> realm_example.com
> (0)  suffix : Preparing to proxy authentication request to realm "
> ...
> (0) Sending Access-Request packet to host 192.168.0.243 port 1812, id=158,
> length=0
> (0) User-Name = 'danilo.raspa'

  You have the proxy editing the User-Name.  Don't do that.

  See the documentation in proxy.conf.  You can configure it to *not* edit the User-Name.

  Alan DeKok.




More information about the Freeradius-Users mailing list