Phil Mayers wrote:
Sigh.
Don't set the Auth-Type AT ALL. The only legitimate uses are:
* setting it to Accept for PAP requests
* setting it to Reject
* setting it to the name of a specific instance where there are >1 of
the same type of auth module with different configs (e.g. 2 different
LDAPs or 2 different mschap)
The "eap" module will itself detect the request is eap and (assuming the
server is configured correctly, as it is by default) set the Auth-Type.
By forcing it manually, you are guaranteeing that certain authentication
configurations will fail.
I know all this now, I didn't before. I set this server up a while back
to handle my cisco device logins, I can't remember why I'd put that in
radgroupcheck. It's not removed.
and seems to issue the attributes (my cisco priv ones are there) ok. My
laptop still doesn't get an IP address, but this may now be an issue
with the AP.
Can I safely now say that freeradius is behaving correctly and the issue
is now with the AP, or does the above output still point to a freeradius
issue?
I don't know why you're returning:
Cisco-AVPair = "shell:priv-lvl=15"
Service-Type = Administrative-User
...to an access point EAP session; neither make any sense, and I
suppose could be mucking things up, but most likely the problem lies
with the supplicant rather than the AP. It may not like the SSL server
certificate, though from what I can see it's not getting that far. Is
the supplicant configured to do EAP-TLS?
I'm returning these because, as above, I want to use the same
credentials as those that I use for logging into my cisco routers, and I
want to pass those attributes when I log into a router. It's true they
could be confusing things for the AP, but is there a way to not return
them when the auth type is detected as EAP? Or do I have to use a
completely different set of credentials?
It's apparent you've done a serious amount of fiddling with the default
configs. I suggest doing a default/clean install, and starting from the
most basic - a user in the "users" file:
username Cleartext-Password := "foobar"
Check if they can authenticate. Then setup the sql module, put the above
AND ONLY THE ABOVE entries in the database, and test again. Making once
change at a time will allow you to pin down the problem; at the moment,
there are lots of things it *could* be.
I will do this.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
