You are (still) not listening. > >======== >Proxy.conf >==================================================================== >realm NULL { > type = radius > authhost = LOCAL > accthost = LOCAL >} > >realm LOCAL { > type = radius > authhost = LOCAL > accthost = LOCAL >} > >realm DOMAIN { > type = radius > authhost = LOCAL > accthost = LOCAL >} > > >realm SECURACCESS { > type = radius > authhost = 192.168.1.75:1812 > accthost = 192.168.1.75:1813 > secret = toor ># nostrip >} > >
I have told you to split user and server domains. Rename this SECUREACCESS into something like SECURE and make another entry for SECUREACCESS that will be the same as LOCAL. >==== >users >=========================================================================== >DEFAULT FreeRADIUS-Proxied-To !* 127.0.0.1, Proxy-To-Realm >:= LOCAL >SECURACCESS FreeRADIUS-Proxied-To == 127.0.0.1, Proxy-To-Realm >:= "SECURACCESS" >==ENDusers=================================================================== > Is that first entry doing anything? Proxy to (now renamed) SECURE (server realm, leave users realm alone). > >======== >output: >=================================================== >rad_recv: Access-Request packet from host 192.168.1.150:32797, id=185, >length=199 > User-Name = "[EMAIL PROTECTED]" > NAS-IP-Address = 192.168.1.73 > NAS-Port = 1 > NAS-Identifier = "10" > NAS-Port-Type = Wireless-802.11 > Calling-Station-Id = "0012793DFC0C" > Called-Station-Id = "000B86600A58" > Framed-MTU = 1100 > EAP-Message = >0x0201001f016a6f616b696d6c696e646772656e405345435552414343455353 > Aruba-Essid-Name = "demo-wpa-aes-eap-radius" > Aruba-Location-Id = "1.1.1" > Message-Authenticator = 0x4a71e7a8e828c5fbfeba6f153ee22c40 .. >Mon Feb 4 13:04:03 2008 : Debug: rlm_realm: Proxying request from user >joakimlindgren to realm SECURACCESS >Mon Feb 4 13:04:03 2008 : Debug: rlm_realm: Adding Realm = >"SECURACCESS" >Mon Feb 4 13:04:03 2008 : Debug: rlm_realm: Preparing to proxy >authentication request to realm "SECURACCESS" .. EAP doesn't get terminated - it gets proxied. Or at least that's where this is heading. .. .. >Mon Feb 4 13:04:03 2008 : Debug: rlm_eap: Request is supposed to be >proxied to Realm SECURACCESS. Not doing EAP. .. Server thinks so too. .. >Mon Feb 4 13:04:04 2008 : Debug: rlm_pap: No clear-text password in the >request. Not performing PAP. .. Because it is an EAP request. .. >Mon Feb 4 13:04:04 2008 : Debug: WARNING: You set Proxy-To-Realm = LOCAL, >but it is a LOCAL realm! Cancelling invalid proxy request. .. Hm, so that first entry in users file does something. Try wihout it. This is why the request doesn't get proxied. .. >Sending Access-Reject of id 185 to 192.168.1.150 port 32797 > Reply-Message = "" .. Without proxying the request at all. >======== >My thoughts about the output: >========================================== >>Mon Feb 4 13:04:03 2008 : Debug: rlm_eap: Request is supposed to be >proxied to Realm >SECURACCESS. Not doing EAP. > >Detects that we want to proxy domain SECURACCESS. Terminate EAP and only >proxy PAP. > That's not how you terminate EAP. You need to go through the whole TLS negotiation first. Once that is done, inner request will be extracted and that can be proxied. > >>Mon Feb 4 13:04:03 2008 : Debug: modsingle[authorize]: calling files >(rlm_files) for request 0 >>Mon Feb 4 13:04:03 2008 : Debug: users: Matched entry DEFAULT at line >209 >>Mon Feb 4 13:04:03 2008 : Debug: modsingle[authorize]: returned from >files (rlm_files) for request 0 >>Mon Feb 4 13:04:03 2008 : Debug: modcall[authorize]: module "files" >returns ok for request 0 > >Found the DEFAULT entry in users: >DEFAULT FreeRADIUS-Proxied-To !* 127.0.0.1, Proxy-To-Realm >:= LOCAL > OK, but that's irrelevant. You should make (users) realm SECURACCESS local too. >>Mon Feb 4 13:04:04 2008 : Debug: rlm_pap: No clear-text password in the >request. Not performing PAP. > >Not finding a clear-text password? >Why can´t it suddenly use the password stored in the eDirectory (Stored as >clear-text?). > Read the debug ==> No clear-text password in the *request*. That's because the request is still EAP. > >>Mon Feb 4 13:04:04 2008 : Debug: modsingle[authorize]: returned from pap >(rlm_pap) for request 0 >>Mon Feb 4 13:04:04 2008 : Debug: modcall[authorize]: module "pap" >returns noop for request 0 >>Mon Feb 4 13:04:04 2008 : Debug: modcall: leaving group authorize (returns >updated) for request 0 >>Mon Feb 4 13:04:04 2008 : Debug: WARNING: You set Proxy-To-Realm = >LOCAL, but it is a LOCAL >realm! Cancelling invalid proxy request. > >Only a warning right? > >>Mon Feb 4 13:04:04 2008 : Debug: auth: type Local >>Mon Feb 4 13:04:04 2008 : Debug: auth: No User-Password or CHAP-Password >attribute in the request > >Failed due to not finding a User-Password...Why? Because there is no password in the request - it's an EAP request. You need to finish with EAP first and then PAP attributes will be available. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html