You are using outdated version of the server which doesn't support virtual servers. In current version eap is processed by the default virtual server while inner tunnel is processed by - inner-tunnel virtual server. If you don't want to upgrade you can emulate this by using - real ones.
Set up another radius server with identical configuration which will process inner tunnel requests. Add realm inner-tunnel to the current server proxy.conf which will proxy requests to the new server. Add this to users file: DEFAULT FreeRADIUS-Proxied-To = 127.0.0.1, Proxy-To-Realm := "inner-tunnel" In that way stripped username will be sent to inner-tunnel server for authentication (which you have showed to work). You can't simply rewrite User-Name with Stripped-User-Name in your current setup because EAP will fail. Ivan Kalik Kalik Informatika ISP Dana 1/9/2008, "Thomas von Eyben" <[EMAIL PROTECTED]> piše: >I have now done a lot of debugging with my OS X Server + Open >Directory Users setup: > >Using an Apple Access Point AND using Apple's Server Admin management >tool to configure radiusd I am able to authenticate to Open Directory >users BUT only when I provide my shortname without the realm/domain >name. >EG Authenticating as user "u1" works, but authenticating as user >"[EMAIL PROTECTED]" does not work. > >I now know that it IS possible to authenticate towards OD :) >Unfortunately I am unable to figure out how to change the >configuration to solve my problem authenticating users like >"[EMAIL PROTECTED]" > >A complete debug is available here: >http://voneyben.net/radius/auth-u1-ok.txt >http://voneyben.net/radius/[EMAIL PROTECTED] > >When authenticating ("u1") is done correctly this part looks interesting: > rlm_realm: No '@' in User-Name = "u1", looking up realm NULL > rlm_realm: Found realm "NULL" > rlm_realm: Adding Stripped-User-Name = "u1" > rlm_realm: Proxying request from user u1 to realm NULL > rlm_realm: Adding Realm = "NULL" > rlm_realm: Authentication realm is LOCAL. > >When authenticating ([EMAIL PROTECTED]) is going bad this part looks >interesting: > modcall[authorize]: module "mschap" returns noop for request 0 > rlm_realm: Looking up realm "voneyben.net" for User-Name = "[EMAIL > PROTECTED]" > rlm_realm: Found realm "voneyben.net" > rlm_realm: Adding Stripped-User-Name = "u1" > rlm_realm: Proxying request from user u1 to realm voneyben.net > rlm_realm: Adding Realm = "voneyben.net" > rlm_realm: Authentication realm is LOCAL. > > >So how do I modify proxy.conf to get the "[EMAIL PROTECTED]" to be >handled the same way as "u1", meaning to get Apple's Open Directory to >do it's thing :) > >Currently the realm in proxy.conf looks like this: >realm voneyben.net { > type = radius > authhost = LOCAL > accthost = LOCAL >} > >The complete config files are available here; >http://voneyben.net/radius/proxy.conf >http://voneyben.net/radius/radiusd.conf >http://voneyben.net/radius/eap.conf > >And - to save a lot of scrolling - without the comments: >http://voneyben.net/radius/proxy-no-comments.conf >http://voneyben.net/radius/radiusd-no-comments.conf >http://voneyben.net/radius/eap-no-comments.conf > >- TvE >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
