Phil Mayers schrieb: > On 24/05/11 08:35, Simon L. wrote: >> Phil Mayers schrieb: >>> On 05/23/2011 06:53 PM, Simon L. wrote: >>> >>>> Please have a look at my new, attached debug log. >>> >>> The server you are proxying to sends a reject. Fix that server. >>> - >>> >> >> Why accepts the home server a proxied request from radtest but not from >> a wpa supplicant. > > radtest sends (by default) a PAP request. > > WPA-Supplicant sends EAP. > >> The home server can not talk eap. as the log shows the proxy is not > > If the home server can't do EAP, how do you expect to proxy EAP to it? > > What is the home server? Thats the point, i don't want to proxy eap to the other freeradius (home server).
> >> doing eap when it forwards a request. where is the difference? > > 802.1x requires EAP support at the radius server. If you are proxying > the requests to another server, it requires EAP support there, too. I thought "proxy_tunneled_request_as_eap = no" would proxy without eap. so i did this: eap.conf: eap { ... peap { default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = no virtual_server = "proxy-inner-tunnel" } } proxy-inner-tunnel: server proxy-inner-tunnel { authorize { update control { Proxy-To-Realm := NULL #I want to proxy realm NULL } } authenticate { eap } post-proxy { eap } } > > It *may* be possible to terminate the EAP at FreeRADIUS, and send the > inner EAP as non-EAP, but this is hack, and I strongly advise against > it. This will only work for EAP-TTLS/PAP and EAP-PEAP/MSCHAP the network between the two freeradius is not public or shared, so i think that would be ok. My above solution proxied eap, but is your hack just a old version ob my config?? I read several mails from last year, where that problem is solved that way (more or less). > > If you want to do that, put the proxy config into > sites-enabled/inner-tunnel, do you mean from proxy.conf or proxy-inner-tunnel? > and also see eap.conf: > > eap { > peap { > proxy_tunneled_request_as_eap = yes > } > } i had set it to "no". - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html