But according to the configuration file: # The "suffix" module takes care of stripping the domain # (e.g. "@example.com") from the User-Name attribute, and the # next few lines ensure that the request is not proxied. # # If you want the inner tunnel request to be proxied, delete # the next few lines. # update control { Proxy-To-Realm := LOCAL }
So I'm confused, what's the right way to handle this situation? On Tue, May 29, 2012 at 4:00 PM, alan buxey <a.l.m.bu...@lboro.ac.uk> wrote: > Hi, > >> certificate errors. What could the windows machine be doing different? >> Why does the machine even enter the picture when the authentication is >> between the Access Point and the server? > > authentication is between the client and the server - mediated over 802.1X > by the Access point. thats why your client has a supplicant on it.. > >> Below is the portion of the log which shows the rejection, when using >> my Android phone, TTLS and MSCHAPv2 (that is what Windows uses isnt >> it?) Where I am confused is near the bottom, what is causing the >> rejection? > > Win7 will be EAP-PEAPv0/MSCHAPv2 > >> ++[pam] returns invalid > > user/pass in pam? > >> WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not exist! >> Cancelling invalid proxy request. > > thats kind of a big clue. dont do that. it breaks things. just define > the realm in proxy.conf with no place eg > > realm whatever.com { > } > >> rlm_pam: Attribute "User-Password" is required for authentication. > > you've forced the server to use PAM? MSCHAPv2 doesnt provide 'User-Password' > so wont work. > > what ARE you trying to do? > > alan > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html