> > I read a post from a long time ago about putting the > > attribute (set to any value) in the response list, but that does not > > seem to work (unless I did it wrong): > > > > /etc/raddb/preproxy_users: > > > > DEFAULT > > Message-Authenticator = 1 > > You're adding it to the proxied packet. Read the docs.
Right, because FreeRADIUS is acting as a proxy -- but it wasn't even a problem, so I didn't really need to put that in there. Correct me if I'm wrong, but EAP should be doing Message-Authenticator stuff without me needing to tell it to add the attribute, right? It seems to be doing just that. > > Anyway, I think I am running into a problem with not having this in the > > packets. I am proxying requests from my Windows XP SP2 supplicant to my > > Cisco 1310 AP > > That's not proxying. The supplicant doesn't do RADIUS. Yeah, I suppose I could have worded that a bit more technically accurate. The supplicant is sending the EAP requests to the Cisco, which is sending RADIUS stuff to the router running FreeRADIUS, which is proxying those RADIUS requests to the IAS machine. Sound right now? > > When the proxied reply (Access-Challenge) goes out of the router back > > towards the Cisco 1310 AP and the supplicant, the Cisco or the > > supplicant (can't tell which) is ignoring the reply and then sending a > > new request. > > That's most likely the "extended key" oid nonsense that Microsoft needs. Since you seem to know something about this, can you either: A) Explain what the "extended key oid nonsense" is? B) Point me to some place I can read about it? I appreciate your help. Thanks, Eliot Gable - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html