Hi, > First off, forgive me if this has been asked before on this list (I did do a > search first, yet no results proved useful). > > I am on a fact finding mission to see whether freeradius is going to be > feasible to deploy in my environment (~50 users over ~40 windows and linux > desktops). On a test network I have configured an Ubuntu 9.10 Server with a > patched freeradius that has openssl (oh what fun that was to build).
err, well, in that case the answer is yes. hundreds of Universities across Europe have installed FreeRADIUS to handle 802.1X authentication wired/wireless of their clients. at our site alone we have over 3000 clients per day authenticating against FR with concurrant usage being around 1200 wireless and 500 wired....with the remaining systems that arent yet configured STILL using FreeRADIUS for captive portal authentication and VMPS (and MAC auth bypass now). heck...for around 50 machines you even have the ability to just configure the clients by hand - even us EAP-TLS whereas for bigger numbers..the issue isnt FR - its the rollout or deployment of the required configuration > rad_recv: Access-Request packet from host 192.168.1.1 port 3079, id=0, > length=145 > User-Name = "u...@example.com<mailto:u...@example.com>" > NAS-IP-Address = 192.168.1.1 cool. incoming request from NAS > [suffix] Looking up realm "example.com<http://example.com>" for User-Name = > "u...@example.com<mailto:u...@example.com>" > [suffix] Found realm "example.com<http://example.com>" > [suffix] Adding Stripped-User-Name = "user" > [suffix] Adding Realm = "example.com<http://example.com>" > [suffix] Proxying request from user user to realm > example.com<http://example.com> > [suffix] Preparing to proxy authentication request to realm > "example.com<http://example.com>" > ++[suffix] returns updated > [eap] Request is supposed to be proxied to Realm > example.com<http://example.com>. Not doing EAP. hmm. okay > [eap] No EAP Start, assuming it's an on-going EAP conversation > ++[eap] returns updated > ++[unix] returns notfound > ++[files] returns noop > ++[expiration] returns noop > ++[logintime] returns noop > [pap] WARNING! No "known good" password found for the user. Authentication > may fail because of this. > ++[pap] returns noop > Found Auth-Type = EAP > +- entering group authenticate {...} > [eap] Identity does not match User-Name, setting from EAP Identity. > [eap] Failed in handler > ++[eap] returns invalid > Failed to authenticate the user. > Using Post-Auth-Type Reject > +- entering group REJECT {...} okay. EAP user-name doesnt match the original identity...and no user found either. 2 things you need to ensure 1) in proxy.conf you have 'nostrip' defined for example.com 2) in users file you include the details for the user 'user' eg user Cleartext-Password := "password" alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
