Hello, On Wed, 10 Apr 2002, Chris Parker wrote: > At 08:43 AM 4/10/2002 -0700, Woolworth Mark-P23695 wrote: > >I'm currently running freeradius 0.4 on Solaris 8 and everything is > >working fine except the Tunnel-Password. My ISP is proxying the > >authentication request to my radius server and my radius server is > >authenticating the request and returning the tunnel attributes to > >allow the NAS to build an L2TP tunnel. > >The ISP is claiming the Tunnel-Password is coming back malformed.
We are working just now on a similar setup, with freeradius 0.5 on FreeBSD. We also seem to have a problem with the Tunnel-Password. But it looks like the NAS is complaining about this Password, not the Proxy-Radius. I had a quick look into the source ( lib/radius.c ), and I don't understand how the routine rad_tunnel_pwencode() is supposed to work (just look at the 'random' salt, and the calculation of the length). OTOH, the chapter in rfc2868 on how to calculate the tunnel-password is also not very clear to me... > >At the moment, I don't know which radius > >server the ISP is running, they're supposed to let me know today. > >My users file has been pared to the minimum > > > >gomer Auth-Type := Local, Password == "*****" > > Service-Type = Framed-user, > > Framed-Protocol = PPP, > > Tunnel-Type:1 = L2TP, > > Tunnel-Medium-Type:1 = IP, > > Tunnel-Password:1 = password, > > Tunnel-Server-Endpoint:1 = 127.0.0.1 > > > >The dictionary.tunnel file specifies encrypt=2 on the > >Tunnel-Password attribute. > >I've searched the archives and the only information I found on > >Tunnel-Password was back in October 2001 when it was first > >implemented. Does anyone have a scenario like this working? > >Are there any known problems with password encryption > >interoperating with other radius servers? > > With other radius servers? I know that it is working at least > with Funk SteelBelted Radius in terms of interoperability. > >FreeRADIUS also works with cisco and Ascend NAS that I've > >tested with ( in setting up L2TP via radius ). > > Sounds like your ISP has a problem, or has their > implementation/configuration incorrect. Is there an easy way to verify that the password gets encrypted correctly ? > -Chris By(t)e, HaJo Gurt -- ========--------========--------========--------========--------======== Hans-Joachim Gurt Online Services (Access Server) [EMAIL PROTECTED] Tiscali Business GmbH www.tiscali-business.de Robert-Bosch-Strasse 32 D-63303 Dreieich Fon: +49-6103-916-923 Fax: +49-6103-916-672 ------------------------------------------------------------------------ My name is Borg, James Borg. License to assimilate. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html