[EMAIL PROTECTED] wrote:
robiwan: Okay, here is the complete output from my radiusd, when user roka do a request: sorry, it's huge rad_recv: Access-Request packet from host 10.187.0.15:1645, id=231, length=137 NAS-IP-Address = 10.187.0.15 NAS-Port = 50103 NAS-Port-Type = Ethernet User-Name = "WINLAB\\roka" Called-Station-Id = "00-14-69-5B-8B-03" Calling-Station-Id = "00-0B-5D-84-AE-CA" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x020000100157494e4c41425c726f6b61 Message-Authenticator = 0x58539e67c56f220589cf69d3485c493d Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "WINLAB\roka", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 0 length 16 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 185 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0
It should be obvious what's happening here. The "files" module is only matching a DEFAULT entry. This is because your username is DOMAIN\user. DOMAIN\user != user
Either do this to break the user into realm+user: authorize { preprocess ntdomain mschap eap files } ...and this in proxy.conf: realm WINLAB { type = radius authhost = LOCAL accthost = LOCAL strip } OR edit your "users" to read: WINLAB\\roka The-Stuff-Here := whatever>
peap { default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = no }
You may not in fact need these if this was the problem, though I always enable them since if you later on start matching on other attributes (e.g. SSID, etc.) they need to be copied to/from the inner tunnel. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html