Change use_tunneled_reply to yes in peap section of eap.conf. Ivan Kalik Kalik Informatika ISP
Dana 14/11/2008, "Tod A. Sandman" <[EMAIL PROTECTED]> piše: >> Ivan Kalik wrote: >>> Why don't you map that in ldap.attrmap? > >Thanks so much. I removed all LDAP settings from users, and I have >TTLS-PAP working fine with redundant LDAP for authorization and >Kerberos for Authentication. > >Now I can't get the only other mode we need: PEAP/MSChapv2. LDAP >authorization is working fine, and the ntlm-auth authentication works >fine, but required attributes are not being sent back in the >Access-Accept packet. > >Unlike when I connect via TTLS-PAP, the Access-Accept does not include >some required attributes. The debug output shows them getting set >properly within sites-enabled/inner-tunnel and getting updated with >"update outer.reply", but they get dropped before the Access-Accept >packet. > >I haven't touched sites-enabled/default. > >I enabled ldap in sites-enabled/inner-tunnel, and afterwards I do >an "update outer.reply", i.e.:, > > redundant-load-balance redundant_ldap { > ldap1 > ldap2 > ldap3 > } > > update outer.reply { > Cisco-AVPair := "%{reply:Connect-Info}" > Class := "OU=%{reply:Connect-Info}" > } > >and the debug output shows this working. > >But the Access-Accept does not include these attributes as it does >when I use TTLS-PAP. > >I tried moving the "update outer.reply" to the post-auth section, but >this did not help. > >My config is quite close to the default. The only PEAP related change >I made was to update modules/mschap with the correct ntlm_auth line. > >Thanks for any ideas. > > > >Tod Sandman >Sr. Systems Administrator >Middleware Development & Integration >Rice University > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html