Kadlecsik Jozsef wrote: > We have a working freeradius setup, with one exception: when guests try to > authenticate (EduRoam) it always fails.
You are trying to do EAP locally, *and* proxy EAP to another server. > Here follows the output of eapol_test: That isn't necessary. > And the debugging log of our freeradius server: That helps. > rad_recv: Access-Request packet from host 127.0.0.1 port 43327, id=0, length=160 > User-Name = "anonym...@teszt.eduroam.hu" The original packet from eapol_test. > +- entering group pre-proxy {...} ... > Sending Access-Request of id 135 to 195.111.98.4 port 1812 > User-Name = "anonym...@teszt.eduroam.hu" Which is proxied. > rad_recv: Access-Challenge packet from host 195.111.98.4 port 1812, id=67, > length=67 i.e. received an Access-Challenge from the home server. > Sending Access-Challenge of id 1 to 127.0.0.1 port 43327 i.e. it's being sent back to eapol_test. > rad_recv: Access-Request packet from host 127.0.0.1 port 43327, id=2, > length=240 And the NAS is continuing the EAP conversation. > User-Name = "anonym...@teszt.eduroam.hu" And this packet isn't proxied. Why? > rlm_eap: No EAP session matching the State variable. > [eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request Since it isn't proxied, it's handled locallt. If you simply configure a realm "teszt.eduroam.hu", and tie it to the home server, it *will* work. You've clearly done something else, where the first packet is proxied (somehow), and the later ones aren't. i.e. you've spent time creating a *complicated* proxy decision that doesn't work, rather than using the *simple* proxying method that is included with the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html