Turns out that I had mis-configured my proxy.conf. In proxy.conf I failed to set the authhost = LOCAL for realm columbia.edu. Fixed that and now it seems to be working.
Thanks. -- Zahid On Jan 13, 2012, at 1:35 PM, Zahid Mehmood wrote: > Hi, > I've seen some older posts where people have said that they support > Eduroam using FreeRadius. Hoping someone can help me with the problem I'm > experiencing. > > For our local WPA2 authentication we require our uses to use their Columbia > ID as the username and this works fine. When I try > i...@columbia.edu<mailto:i...@columbia.edu> for eduroam, it gets proxies to > LOCAL server and fails with following error. > > Found Auth-Type = EAP > +- entering group authenticate {...} > [eap] Identity does not match User-Name, setting from EAP Identity. > > I have a fresh/clean install of FreeRadius 2x with default configuration > files. Updated default and inner-tunnel server to add pam support. > > From debug log: > > rad_recv: Access-Request packet from host 128.59.62.32 port 45488, id=0, > length=146 > User-Name = "eduroam_t...@columbia.edu<mailto:eduroam_t...@columbia.edu>" > NAS-IP-Address = 127.0.0.1 > Calling-Station-Id = "02-00-00-00-00-01" > Framed-MTU = 1400 > NAS-Port-Type = Wireless-802.11 > Connect-Info = "CONNECT 11Mbps 802.11b" > EAP-Message = 0x020000180172743234333040636f6c756d6269612e656475 > Message-Authenticator = 0xb334b8507a04305945e17feec2e2e417 > +- entering group authorize {...} > ++[preprocess] returns ok > ++[chap] returns noop > ++[mschap] returns noop > [suffix] Looking up realm "columbia.edu<http://columbia.edu>" for User-Name = > "eduroam_t...@columbia.edu<mailto:eduroam_t...@columbia.edu>" > [suffix] Found realm "columbia.edu<http://columbia.edu>" > [suffix] Adding Stripped-User-Name = "eduroam_test" > [suffix] Adding Realm = "columbia.edu<http://columbia.edu>" > [suffix] Proxying request from user eduroam_test to realm > columbia.edu<http://columbia.edu> > [suffix] Preparing to proxy authentication request to realm > "columbia.edu<http://columbia.edu>" > ++[suffix] returns updated > [eap] Request is supposed to be proxied to Realm > columbia.edu<http://columbia.edu>. Not doing EAP. > ++[eap] returns noop > [files] users: Matched entry DEFAULT at line 203 > ++[files] returns ok > ++[expiration] returns noop > ++[logintime] returns noop > ++[pap] returns noop > WARNING: Empty section. Using default return values. > Sending Access-Request of id 215 to 127.0.0.1 port 1812 > User-Name = "eduroam_test" > NAS-IP-Address = 127.0.0.1 > Calling-Station-Id = "02-00-00-00-00-01" > Framed-MTU = 1400 > NAS-Port-Type = Wireless-802.11 > Connect-Info = "CONNECT 11Mbps 802.11b" > EAP-Message = 0x020000180172743234333040636f6c756d6269612e656475 > Message-Authenticator = 0x00000000000000000000000000000000 > Proxy-State = 0x30 > Proxying request 7 to home server 127.0.0.1 port 1812 > Sending Access-Request of id 215 to 127.0.0.1 port 1812 > User-Name = "eduroam_test" > NAS-IP-Address = 127.0.0.1 > Calling-Station-Id = "02-00-00-00-00-01" > Framed-MTU = 1400 > NAS-Port-Type = Wireless-802.11 > Connect-Info = "CONNECT 11Mbps 802.11b" > EAP-Message = 0x020000180172743234333040636f6c756d6269612e656475 > Message-Authenticator = 0x00000000000000000000000000000000 > Proxy-State = 0x30 > Going to the next request > Waking up in 0.9 seconds. > rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=215, > length=136 > User-Name = "eduroam_test" > NAS-IP-Address = 127.0.0.1 > Calling-Station-Id = "02-00-00-00-00-01" > Framed-MTU = 1400 > NAS-Port-Type = Wireless-802.11 > Connect-Info = "CONNECT 11Mbps 802.11b" > EAP-Message = 0x020000180172743234333040636f6c756d6269612e656475 > Message-Authenticator = 0x270f1270f21cd9a6ed616f1bf7644e74 > Proxy-State = 0x30 > +- entering group authorize {...} > ++[preprocess] returns ok > ++[chap] returns noop > ++[mschap] returns noop > [suffix] No '@' in User-Name = "eduroam_test", looking up realm NULL > [suffix] No such realm "NULL" > ++[suffix] returns noop > [eap] EAP packet type response id 0 length 24 > [eap] No EAP Start, assuming it's an on-going EAP conversation > ++[eap] returns updated > [files] users: Matched entry DEFAULT at line 203 > ++[files] returns ok > ++[expiration] returns noop > ++[logintime] returns noop > [pap] WARNING! No "known good" password found for the user. Authentication > may fail because of this. > ++[pap] returns noop > Found Auth-Type = EAP > +- entering group authenticate {...} > [eap] Identity does not match User-Name, setting from EAP Identity. > [eap] Failed in handler > ++[eap] returns invalid > Failed to authenticate the user. > Using Post-Auth-Type Reject > +- entering group REJECT {...} > [attr_filter.access_reject] expand: %{User-Name} -> eduroam_test > attr_filter: Matched entry DEFAULT at line 11 > ++[attr_filter.access_reject] returns updated > Delaying reject of request 8 for 1 seconds > Going to the next request > Waking up in 0.9 seconds. > Sending delayed reject for request 8 > > Any suggestions? > > Thanks. > > -- > Zahid > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
