Garber, Neal wrote: > I’m running FR 2.1.6 with patches to rlm_mschap & rlm_eap_mschapv2 to > correct a problem with case-sensitive userids.
Ok... > First, if I didn’t include “updated” after the “update request” actions, > then it would return reject. Is that normal (I didn’t call a module in > there)? Yes... it goes back to historical behavior, and the default return codes when the "authenticate" section is being processed. > Should the unlang be outside of the “Auth-Type MS-CHAP” block? No. It MUST be inside. > Also, Ntlm-Auth-Username is expanded, there’s a “[request] returns > reject”. I think this is the source of the problem, but I don’t > understand where the reject is coming from. Hm... I'm not sure, either. > The mschap module that > follows returns OK, but the subsequent eap-comodo module returns reject > with no explanation in the debug. Do I need something like: No, that won't help. It looks like the EAP-MSCHAPv2 module is either NOT being run, or something else isn't generating an appropriate EAP packet as a reply. That's why the eap-comodo module returns reject. I suggest starting off with a *simpler* configuration. Much of that "unlang" could be put into the "authorize" section, I think. Alan DeKok. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html