RE: Re: Proxying question for Eduroam

2010-10-20 Thread Peter Kruppa 
Hi,

  what is your MTU set to for EAP packets - you may need to reduce this
to eg 1024
  to stop UDP fragmentation of such traffic

Bingo, thanks Alan

Best regards, Peter

-Oorspronkelijk bericht-
Date: Thu, 14 Oct 2010 09:35:25 +0100
From: Alan Buxey a.l.m.bu...@lboro.ac.uk
Subject: Re: Proxying question for Eduroam
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Message-ID: 20101014083525.ga4...@lboro.ac.uk
Content-Type: text/plain; charset=utf-8

Hi,

I managed to reproduce that situation by using eapol_test, in that
case
requests to IAS aren?t logged and it never replies with a
Access-Challenge.

if you run wireshark on the IAS host - of eg RSPAN its port to sniff
traffic,
fo you see the RADIUS traffic going to the IAS box and its daemon? 

does nothing log at all in IAS?

what is your MTU set to for EAP packets - you may need to reduce this to
eg 1024
to stop UDP fragmentation of such traffic

..and, finally, is 'Framed-MTU' RADIUS attribute being proxied through
or is it being filtered?

alan




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Proxying question for Eduroam

2010-10-14 Thread Peter Kruppa 
Hi all,

 

We use a freeradius proxy for proxying wireless PEAP requests to one of
our two domains (via IAS and NPS in the near future) or to the next
Eduroam proxy.

Visa versa PEAP requests send by our students at other schools are
forwarded to our freeradius proxy. 

Everything seems to work when we use the wireless clients of Windows,
Mac OS 10, Linux, smartphones, etc...), but there is one scenario where
it won't work and what some schools use for testing.

 

I managed to reproduce that situation by using eapol_test, in that case
requests to IAS aren't logged and it never replies with a
Access-Challenge.

 

The versions of the software are:

FreeRADIUS 2.1.8+dfsg-1ubuntu1

OpenSSL 0.9.8k-7ubuntu8.3

Eapol_test from wpa_supplicant 0.7.3

 

The configuration is simple and transparant, we have some clients and
some proxies, on the base of the realm the request is proxied to the
next radius server, without termination of EAP at freeradius.

If EAP is the problem, I could terminate the EAP tunnel for our 2 domain
on freeradius, how should I do that? Do I need to use the inner-tunnel?
Or proxy-inner-tunnel (what about Proxy-To-Realm than because we have 2
domains)?

 

In any case I would like to use a method without using winbind.

Hope someone will give me a hint...

 

Best regards,

Peter Kruppa

 


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html