eap: Freeradius proxy doesn't work with EAP PEAP auth
Alan DeKok
aland at deployingradius.com
Wed Jul 5 16:23:05 CEST 2017
On Jul 5, 2017, at 9:12 AM, Danilo Raspa <danilo.raspa at gmail.com> wrote:
> When I try to connect by using the command "radtest" everything works
> perfectly, here the command: "radtest danilo.raspa at realm_example.com 1234
> 192.168.0.158 18120 password"
That just tests username / password authentication. It doesn't test anything else.
Did you follow the instructions at the top of the "inner-tunnel" virtual server? They describe how to do more detailed testing.
> The problem is that when I try to connect from my phone using EAP
> PEAP(using same danilo.raspa at realm_example.com/1234) I recieve an "Access
> Reject" message from the radius server (this is the error: "eap : Identity
> does not match User-Name, setting from EAP Identity").
The debug log should say what's going on.
> Here are some other info:
We don't ask for that information. We don't need it.
> Log request from RADIUS PROXY:
>
>
> Received Access-Request Id 168 from 192.168.0.210:3126 to 192.168.0.158:1812
> length 168
> User-Name = 'danilo.raspa at realm_example.com'
> ..
> (0) suffix : Looking up realm "realm_example.com" for User-Name = "
> danilo.raspa at realm_example.com"
> (0) suffix : Found realm "realm_example.com"
> (0) suffix : Adding Stripped-User-Name = "danilo.raspa"
> (0) suffix : Adding Realm = "realm_example.com"
> (0) suffix : Proxying request from user danilo.raspa to realm
> realm_example.com
> (0) suffix : Preparing to proxy authentication request to realm "
> ...
> (0) Sending Access-Request packet to host 192.168.0.243 port 1812, id=158,
> length=0
> (0) User-Name = 'danilo.raspa'
You have the proxy editing the User-Name. Don't do that.
See the documentation in proxy.conf. You can configure it to *not* edit the User-Name.
Alan DeKok.
More information about the Freeradius-Users
mailing list