Thanks for pointing those things out to me. I am no longer proxying back to myself like that, and I've told the sql module to use stripped user name when possible and it looks like it's all working now.
Best wishes, Chris ________________________________________ From: freeradius-users-bounces+cmanigan=towerstream....@lists.freeradius.org [freeradius-users-bounces+cmanigan=towerstream....@lists.freeradius.org] on behalf of Phil Mayers [p.may...@imperial.ac.uk] Sent: Thursday, June 28, 2012 12:49 PM To: freeradius-users@lists.freeradius.org Subject: Re: EAP fails when proxying to a realm On 28/06/12 17:33, Christopher Manigan wrote: > I am trying to use MSCHAPv2 to authenticate users. This works ok, except > when I try to proxy to a realm. Pasted below is the debug of a user trying > to authenticate. The realm is a prefix of the username. What I see buried > in the debug is: > > > # radiusd -X > FreeRADIUS Version 2.1.11, for host i686-pc-linux-gnu, built on Jun 28 2012 > at 11:37:39 Upgrade to 2.1.12 if possible > Sending Access-Request of id 22 to 127.0.0.1 port 1812 Why on earth are you proxying back to yourself, to the same virtual server no less? I suspect this is confusing the server, since it fails inside the handler further down. > [eap] Identity does not match User-Name, setting from EAP Identity. You are rewriting the username. This doesn't work with EAP. Don't do that. If you need to strip realms etc. use "Stripped-User-Name". Leave the original username alone. > [eap] Failed in handler > ++[eap] returns invalid > Failed to authenticate the user. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html