On Fri, Jul 15, 2011 at 7:13 AM, Nick Kartsioukas <[email protected]> wrote: > Okay, I've gotten a bit further, but I'm still not grasping something in > the process flow from authorization to authentication and EAP outer and > inner methods. > > I'll paste relevant chunks of my authorize, authenticate, and eap config > sections below. The conditional switch statement is working properly > and matching my SSID (I do have other statements there, I just chopped > them out here for brevity), the LDAP lookup is working properly and > granting me authorization, but when it goes to EAP to perform > authentication it seems like it never gets to the inner MSCHAPv2 auth > and eventually fails. > > ERROR: No authenticate method (Auth-Type) found for the request: > Rejecting the user > Failed to authenticate the user. > Login incorrect: [nicholas_kartsioukas] (from client slo-wlc1 port 0 via > TLS tunnel) > } # server > [peap] Got tunneled reply code 3 > [peap] Got tunneled reply RADIUS code 3 > [peap] Tunneled authentication was rejected. > [peap] FAILURE > > I've attached the full debug log. Hopefully someone can point me in the > right direction? Thanks!
I'd look at these lines: [ldap_parrotfish] performing search in ou=CUESTA,dc=cuesta,dc=org, with filter (sAMAccountName=nicholas_kartsioukas) [ldap_parrotfish] No default NMAS login sequence [ldap_parrotfish] looking for check items in directory... [ldap_parrotfish] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? Do you have cleartex-password somewhere in your LDAP schema? If not, then MSCHAPv2 will NOT work. It MIGHT work with TTLS-PAP or PEAP-GTC, but requires special setup (to force LDAP bind). If yes, then check ldap.attrmap to ensure attribute mappings matched. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
