Thanks for the reply. I've left the Local {} alone in the proxy.conf file.
I've taken out the "DEFAULT EAP-TYPE.." from the users file. I've taken out all perl references from the sites-enabled/default and moved them to sites-enabled/inner-tunnel >I assume you hardcoded that in perl sub authorize. That's a good place >for it. Put it back. I'm not sure what you mean. Here is the new log: ------------------------------------------------------------------------ --------- Ready to process requests. rad_recv: Access-Request packet from host 192.168.240.78 port 2565, id=118, length=152 Message-Authenticator = 0xc4502f1e386b9fdcd2d095862915551d User-Name = "192.168." NAS-IP-Address = 192.168.240.78 NAS-Port = 4 NAS-Port-Type = Ethernet Calling-Station-Id = "00-16-D3-30-E5-74" EAP-Message = 0x02f1000d016c6a61636b736f6e Framed-MTU = 1000 Called-Station-Id = "0001F4-B6-1B-80\0004" NAS-Identifier = "HOKDORM_01953_M48" NAS-Port-Id = "fe.0.4" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 241 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 118 to 192.168.240.78 port 2565 EAP-Message = 0x01f200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2eb069552e427044fa9b3b9c6df5c6ff Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.240.78 port 2565, id=119, length=249 Message-Authenticator = 0x069b37b2ecf7a36edb9c581f848d9ce9 User-Name = "192.168." State = 0x2eb069552e427044fa9b3b9c6df5c6ff NAS-IP-Address = 192.168.240.78 NAS-Port = 4 NAS-Port-Type = Ethernet Calling-Station-Id = "00-16-D3-30-E5-74" Called-Station-Id = "00-01-F4-B6-1B-80" Framed-MTU = 1000 EAP-Message = 0x02f2005c190016030100510100004d030149c281bb53687b34071ca2e5b38c3b0b6fff 5d19ebbc4ca51b11a45f82eb1da600002600390038003500160013000a00330032002f00 050004001500120009001400110008000600030100 NAS-Identifier = "HOKDORM_01953_M48" NAS-Port-Id = "fe.0.4" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 242 length 92 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0051], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 085e], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange TLS_accept: SSLv3 write key exchange A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 119 to 192.168.240.78 port 2565 EAP-Message = 0x01f303e419c000000acd160301004a02000046030149c26cc54f36624e97984c353fd6 febf8ac11f718be7a317523cb2ec51d441db20007643dca31a0dc8721df5ecd3af888cee 91d082de6b97048be35489cc70e8dc003900160301085e0b00085a0008570003a6308203 a23082028aa003020102020101300d06092a864886f70d0101040500308193310b300906 0355040613024652310f300d060355040813065261646975733112301006035504071309 536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e 06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603 5504 EAP-Message = 0x03131d4578616d706c6520436572746966696361746520417574686f72697479301e17 0d3039303232363138313530335a170d3130303232363138313530335a307c310b300906 0355040613024652310f300d0603550408130652616469757331153013060355040a130c 4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665 722043657274696669636174653120301e06092a864886f70d010901161161646d696e40 6578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f0030 82010a0282010100af91ce4cc96ce447a1b9ce6a3c8d5cee06559ffe5d6c58649c8af10c f4d8 EAP-Message = 0x2196a122f04a957a7ca72043e3f61c0e4149a18d32bea21f5807e44e710762d5ede33f 41f89e5238ba8ec146775ec45f90335564a0ccdf9d7332b714993b527776d70068a939f5 8c7475e677850446ef1de2427a39b1469d4707f59723cc3c5c432426f51d899e3df16df4 8641151eb1a34b9aacf00fb3380f43db62d6efe38255abd22667ba5a4a4d0de897d955eb 54532c642b009994eb1d4353ab340852d9a2db429111f08e31dc5a5c063a1b4625023d21 496f55717d44b2ef1638b6cce64bf716e719d885f20b305fed4e6d94a8ecb1201d43389c bbd9e48328d7f8850641d50203010001a317301530130603551d25040c300a06082b0601 0505 EAP-Message = 0x070301300d06092a864886f70d010104050003820101005e3f3bed588f5e438581d8ab df869d6e5b9751c0407043ba804bae8a935f2ccfda3e106c7b9bd3c41e3baa1e6bea239a 7878a67fa523f76e9207640ce1900a71ee645e0a200007826520944b15177a2d855ba97f 35b5484cc4476b4c49bbcc55fa40b919506eb73e3f6f35c87ed3d38fca2b33a82d541a10 8e60a54b958ebab48dbcbed264380c05df5c4e8839169ade9bed2cde41faa08755b53dfe 9a4a8fe7417795f1149529d9e2ad6c0c6f610a12772c3a5b1dca9826bc8e55ba4d17bd2e 60db88e70bb9f66b22433be9a9d28522870278805bab Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2eb069552f437044fa9b3b9c6df5c6ff Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.240.78 port 2565, id=120, length=163 Message-Authenticator = 0x503ddd72c6db548c6fec4fb9218e8b34 User-Name = "192.168." State = 0x2eb069552f437044fa9b3b9c6df5c6ff NAS-IP-Address = 192.168.240.78 NAS-Port = 4 NAS-Port-Type = Ethernet Calling-Station-Id = "00-16-D3-30-E5-74" Called-Station-Id = "00-01-F4-B6-1B-80" Framed-MTU = 1000 EAP-Message = 0x02f300061900 NAS-Identifier = "HOKDORM_01953_M48" NAS-Port-Id = "fe.0.4" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 243 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 120 to 192.168.240.78 port 2565 EAP-Message = 0x01f403e01940192b141d954ba5dad16f574bfa9c6f1069e1fda082afc3ba1fc97a0d15 1f664e5dd53aed97cf332119fe0004ab308204a73082038fa003020102020900bad26bfd 4ce6479b300d06092a864886f70d0101050500308193310b300906035504061302465231 0f300d060355040813065261646975733112301006035504071309536f6d657768657265 31153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d01 0901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d 706c6520436572746966696361746520417574686f72697479301e170d30393032323631 3831 EAP-Message = 0x3530315a170d3039303332383138313530315a308193310b3009060355040613024652 310f300d060355040813065261646975733112301006035504071309536f6d6577686572 6531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d 010901161161646d696e406578616d706c652e636f6d312630240603550403131d457861 6d706c6520436572746966696361746520417574686f7269747930820122300d06092a86 4886f70d01010105000382010f003082010a0282010100c005918d15156e31de5cad4be4 3bcee9a30544cbd7814d9e8b125c6aefc9a71a5c8d815d1cc12b0f37be7b2b30abd5cb4c 696e EAP-Message = 0x9f5aa45dd330796a68c9440b1114f9181342ef7006f2ca01e8805e580f4505da0d6b20 c3e5ec1c85ac9473c4ce52cbba3917612d45f3d2ddcd0a7da895a57d4ef7defd41353010 449e124599e5d3115874e99c358e6448a5b78d84626d9b4479134e2fe45407e7088bf193 0a59b64aa4d17dc992cd317ea3ace04b31064a61647847ad710d6f458d128810e2152bc4 60182cf327c63cf30639c3072fbd5ac302e525319efdb02c7e3a33026e7228186d464695 aa1e00e461fc004d86f4aabb8be9f06db98714d5ef63b51c433d0203010001a381fb3081 f8301d0603551d0e04160414d00f03b207edebc2780daafc959d2c27157dcad13081c806 0355 EAP-Message = 0x1d230481c03081bd8014d00f03b207edebc2780daafc959d2c27157dcad1a18199a481 96308193310b3009060355040613024652310f300d060355040813065261646975733112 301006035504071309536f6d65776865726531153013060355040a130c4578616d706c65 20496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e 636f6d312630240603550403131d4578616d706c65204365727469666963617465204175 74686f72697479820900bad26bfd4ce6479b300c0603551d13040530030101ff300d0609 2a864886f70d01010505000382010100183c Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2eb069552c447044fa9b3b9c6df5c6ff Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.240.78 port 2565, id=121, length=163 Message-Authenticator = 0x8021baa596732e32a6b6ff9e1b452e15 User-Name = "192.168." State = 0x2eb069552c447044fa9b3b9c6df5c6ff NAS-IP-Address = 192.168.240.78 NAS-Port = 4 NAS-Port-Type = Ethernet Calling-Station-Id = "00-16-D3-30-E5-74" Called-Station-Id = "00-01-F4-B6-1B-80" Framed-MTU = 1000 EAP-Message = 0x02f400061900 NAS-Identifier = "HOKDORM_01953_M48" NAS-Port-Id = "fe.0.4" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 244 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 121 to 192.168.240.78 port 2565 EAP-Message = 0x01f5031f19005647775d06a03ebb8b89c3256914ceac4171e7ee41b3bb5f8497c3f7ee a643ac0637116e282046f3611e910dcf39d779ad13a14a68e75e9c416af68cb8474782e1 d77d20cbb4785c40d8b36de0f2caca1c5a477b3a09c488d3065b0865e63b546965fa1bc7 0c89f578eb1c88bcd329c3afb49730d0af199bf022be1f0cb74f71fde6d6be2f23af396c 883b5411c107b4d6fc51bc2bc07534c6d6d352c9afde1cb48565b9b669489403d0940d0d a70125b2073f724b7d1e3cd7cf5f31432eb7a659105af9fb92e5f67d36ad6c15321a218a 34f89235844c88cc09f44d39151cbbc12c70d4f6dba5f9e80cbfb2af15bb644c7749a3b3 4a57 EAP-Message = 0x50b8f96e2da78c160301020d0c000209008095c28ea954c729df2931ea0e63d9b9ab25 cdacbad88a7ded24c19ae298dddfd9b9b2dfba285398d544e1aebe2e6fd4302399a2a156 a1be615d6b7579973fe3323c4f65428282088b141e06ee2d99144c7b458bb1da4ec85778 a8806b2e9183475abdc4707fd70974a7bfeb9068894e5b15a6a576a266a6ccf9e439a224 28445300010200806451d1e70e3b2f3c6b16032225bfbfa0571e088d772244d6114bfdc7 e704b05a982c91cf7e935e6ca504b8e627d87d66c44cd4cd3346743b92de99e165af6243 7e235b8fdb20ef865773e2051aa64cb3992591540f63be59d7d57846df902df896b8dea4 f3dd EAP-Message = 0x5a6d1abc0969afe5ac36fa1dfca84627c8bb5359304c6b1c857501003e52b848548114 af61b043b7e103d1b257b0e1c0d67b2825dd9d1d789fc91961e318c38bd42e7ad0a4a7b6 43c594d0947cc40f5ece2f5dfb6184def83ecfa55f821e6d9bbc0760d121b64fa3bff6b8 47ba3c4d2531323870be303cdd6703bd5f3d16a25bbfb0d997772274dd487cd1d50ebd34 f282852d5b3df60af456b45cc3c2066193baa3501d1960c63e3e91a41966ed99870141de d5ba43537ca4627cf16a784887de21eb8600d7a895ef3ab6995430c047883bc835b5b7b4 92ca50808e92ac84a4ac17afe7ec464258d7215768345010bb4ace43e687a18a0973bf13 d125 EAP-Message = 0x964c15fee685a3ff5a50de93701f30c2d6faa7d3cf74d941ef81690e4afabf16030100 040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2eb069552d457044fa9b3b9c6df5c6ff Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.240.78 port 2565, id=122, length=361 Message-Authenticator = 0x2cb5386bb255577cae477eab5882bc80 User-Name = "192.168." State = 0x2eb069552d457044fa9b3b9c6df5c6ff NAS-IP-Address = 192.168.240.78 NAS-Port = 4 NAS-Port-Type = Ethernet Calling-Station-Id = "00-16-D3-30-E5-74" Called-Station-Id = "00-01-F4-B6-1B-80" Framed-MTU = 1000 EAP-Message = 0x02f500cc19001603010086100000820080203c7a10fc7157eba989f712fd6eeda8eedb 92e3672f5c1f07b72f9ef3fedd0f88314e2be7a453f7f1389c9a34a27c3ce35285aba2cd e83653d0c97acde03abcc6f69cbe42cd73f554d82495ed7c8e130de0e6b1e79d3fd61a50 a32c5f6544cb71885520ca3002cb2c5d137ac3c4176ec46f3b2950108778f1e71462b056 d4d214030100010116030100308900f632f1d415796123682b97976590b06e95cb7a76fb 8c3eae09384be8d3fd2b696178c686c25508a09e5587239f59 NAS-Identifier = "HOKDORM_01953_M48" NAS-Port-Id = "fe.0.4" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 245 length 204 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 122 to 192.168.240.78 port 2565 EAP-Message = 0x01f60041190014030100010116030100308d00339e38242c4d72c4e844e9de1df7f6f7 cde044594e5a32a5c0543a335d477fb74586d3a1743dbc94122d9008c7ee Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2eb069552a467044fa9b3b9c6df5c6ff Finished request 4. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 192.168.240.78 port 2565, id=123, length=163 Message-Authenticator = 0x641bc71b0531b0ccbbca5435e0b439fe User-Name = "192.168." State = 0x2eb069552a467044fa9b3b9c6df5c6ff NAS-IP-Address = 192.168.240.78 NAS-Port = 4 NAS-Port-Type = Ethernet Calling-Station-Id = "00-16-D3-30-E5-74" Called-Station-Id = "00-01-F4-B6-1B-80" Framed-MTU = 1000 EAP-Message = 0x02f600061900 NAS-Identifier = "HOKDORM_01953_M48" NAS-Port-Id = "fe.0.4" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 246 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap_peap: EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 123 to 192.168.240.78 port 2565 EAP-Message = 0x01f7002b1900170301002076a95031c176e3d15df7749cf6458354b9940cd936dbccb1 d5cf289cdd7372d1 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2eb069552b477044fa9b3b9c6df5c6ff Finished request 5. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 192.168.240.78 port 2565, id=124, length=237 Message-Authenticator = 0x49a531b23ada3c39f6a897f7d10f0c42 User-Name = "192.168." State = 0x2eb069552b477044fa9b3b9c6df5c6ff NAS-IP-Address = 192.168.240.78 NAS-Port = 4 NAS-Port-Type = Ethernet Calling-Station-Id = "00-16-D3-30-E5-74" Called-Station-Id = "00-01-F4-B6-1B-80" Framed-MTU = 1000 EAP-Message = 0x02f7005019001703010020fe8b92ea49f5055ec724f9da4b10fb99a1d4b5e4652ae576 3529b1bfd353c8aa170301002019c55b3fcab62b6c91ec7e8f7ae5715b346b8ae5102a20 d66d87f4604a2e8843 NAS-Identifier = "HOKDORM_01953_M48" NAS-Port-Id = "fe.0.4" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 247 length 80 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - 192.168. PEAP: Got tunneled identity of 192.168. PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to 192.168. +- entering group authorize ++[mschap] returns noop rlm_realm: No '@' in User-Name = "192.168.", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop ++[control] returns noop rlm_eap: Request is supposed to be proxied to Realm LOCAL. Not doing EAP. ++[eap] returns noop ++? if (EAP-Message) ? Evaluating (EAP-Message) -> TRUE ++? if (EAP-Message) -> TRUE ++- entering if (EAP-Message) +++[noop] returns noop ++- if (EAP-Message) returns noop ++ ... skipping elsif for request 6: Preceding "if" was taken ++ ... skipping elsif for request 6: Preceding "if" was taken ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not exist! Cancelling invalid proxy request. auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [192.168.] (from client DORMTEST2_M80 port 0 via TLS tunnel) PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE ++[eap] returns handled Sending Access-Challenge of id 124 to 192.168.240.78 port 2565 EAP-Message = 0x01f8002b190017030100209027fdf63396cfcaac9f84091c71949bd21d23e845deac24 cd40b704770d422c Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2eb0695528487044fa9b3b9c6df5c6ff Finished request 6. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 192.168.240.78 port 2565, id=125, length=237 Message-Authenticator = 0x41b5e8fbbea177d13ea559438d073fd9 User-Name = "192.168." State = 0x2eb0695528487044fa9b3b9c6df5c6ff NAS-IP-Address = 192.168.240.78 NAS-Port = 4 NAS-Port-Type = Ethernet Calling-Station-Id = "00-16-D3-30-E5-74" Called-Station-Id = "00-01-F4-B6-1B-80" Framed-MTU = 1000 EAP-Message = 0x02f8005019001703010020ab0aecbfaf4745ba42886a5578729502b900143a5989eb29 c80961d95bdeabfd170301002042e0297f34f85a88ae11939eb39077fa541f57f7cbb9cc 1559f956125fc965d8 NAS-Identifier = "HOKDORM_01953_M48" NAS-Port-Id = "fe.0.4" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 248 length 80 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Had sent TLV failure. User was rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select ++[eap] returns invalid auth: Failed to validate the user. Login incorrect: [192.168.] (from client DORMTEST2_M80 port 4 cli 00-16-D3-30-E5-74) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> 192.168. attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 125 to 192.168.240.78 port 2565 EAP-Message = 0x04f80004 Message-Authenticator = 0x00000000000000000000000000000000 Finished request 7. Going to the next request Waking up in 4.7 seconds. Cleaning up request 0 ID 118 with timestamp +9 Cleaning up request 1 ID 119 with timestamp +9 Cleaning up request 2 ID 120 with timestamp +9 Cleaning up request 3 ID 121 with timestamp +9 Waking up in 0.1 seconds. Cleaning up request 4 ID 122 with timestamp +9 Cleaning up request 5 ID 123 with timestamp +9 Cleaning up request 6 ID 124 with timestamp +9 Cleaning up request 7 ID 125 with timestamp +9 Ready to process requests. -----Original Message----- From: t...@kalik.net [mailto:t...@kalik.net] Sent: Thursday, March 19, 2009 12:18 PM To: FreeRadius users mailing list Subject: RE: Perl/Peap-MSChapV2 Issues >In my proxy.conf file, I have > >Realm LOCAL { >} > >I noticed right above that, that it suggest to add "DEFAULT EAP-TYPE == >PEAP, Proxy-To-Realm := LOCAL to the users file. So I added that to the >users file. Is realm Local {} not correct? If not, what should it be? Nothing. Zou can delete that DEFAULT entry. > >In the sites-enabled/default I had eap { ok = return} before I had the >statement calling perl, so I moved the eap {} to after the perl >statement. This is in the authorize function. > Put it back as it was. You don't need perl in TLS exchange. Don't list it in default virtual server. > >I did hardcode the Auth-Type perl because the wiki said to in the users >file. I've taken that out now. > I assume you hardcoded that in perl sub authorize. That's a good place for it. Put it back. >I know that perl is being initiated because this is in the log file, > >Module: Instantiating perl > perl { > module = "/etc/raddb/perl/authorize.pl" > func_authorize = "authorize" > func_authenticate = "authenticate" > >and I do call perl in the authorize section of the sites-enabled/default >file. No, don't call perl in default virtual server. Call it in authorize and authenticate in inner-tunnel virtual server. That's where (if you haven't made changes to eap.conf) mschap authentication takes place. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html