Hi Have set up freeradius on a SLES10SP1 box in order to do 802.1X authentication. All is fine if the client submits a request using just the user name e.g. test05 in the case below:
Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 6 rlm_mschap: Told to do MS-CHAPv2 for test05 with NT-Password rlm_mschap: adding MS-CHAPv2 MPPE keys modcall[authenticate]: module "mschap" returns ok for request 6 modcall: leaving group MS-CHAP (returns ok) for request 6 MSCHAP Success modcall[authenticate]: module "eap" returns handled for request 6 modcall: leaving group authenticate (returns handled) for request 6 PEAP: Got tunneled Access-Challenge modcall[authenticate]: module "eap" returns handled for request 6 modcall: leaving group authenticate (returns handled) for request 6 However, if the user submits a request with the domain name appended such as @xyz.edu.hk, then the request fails at the same point in the process as shown: Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 6 rlm_mschap: Told to do MS-CHAPv2 for [EMAIL PROTECTED] with NT-Password rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 6 modcall: leaving group MS-CHAP (returns reject) for request 6 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 6 modcall: leaving group authenticate (returns reject) for request 6 auth: Failed to validate the user. Found Post-Auth-Type Processing the post-auth section of radiusd.conf modcall: entering group REJECT for request 6 I defined the domain suffix in the proxy conf file and set it to LOCAL because the local server should process the requests no matter whether the suffix is there or not. I also tried rewriting the User-Name attribute to remove the suffix (which is already done by Stripped-User-Name) but that caused another problem. So I'm at the point where just scratching my head...any hints most appreciated. Graham Marsh Hong Kong - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
