"Alan DeKok" <[EMAIL PROTECTED]> wrote: > From: "Alan DeKok" <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Re: Cisco VPN3000 with freeradius > Date: Mon, 15 Dec 2003 14:39:46 -0500 > Reply-To: [EMAIL PROTECTED] > > "Spetzler, Arne (DZ-SH)" <[EMAIL PROTECTED]> wrote: > > i'am successfully authenticate Certificate users against > freeradius = > > 0.9.0 (from suse 9.0). > > > > BUT: only the 'first' time. That means: > > > > <wait a 'long' time (av. 15 min)> > > > > <authenticate successfull> > > This has nothing to do with FreeRADIUS. If the client/NAS doesn't > contact the server, there's nothing that FreeRADIUS can do to speed up > the process. > > > The CISCO Access Control Server ACS did not show this behauvior. > > I would suggest seeing what attributes are sent back from the Cisco > server, and make FreeRADIUS send back the same attributes. > > Whatever the problem is, that is the only fix. > > Alan DeKok. >
Hi, Alan, no, this is _not_ the only fix ;) I have found the problem now: the VPN3000 Concentrator has a timing problem: if the answer from the radius server is _fast_ (< 200ms) _and_ a lot of debugging is enabled - then the vpn3000 may lost the udp packet which contains the answer. The FREERADIUS _is_ fast - in our environement the answers came after 30-180 ms. So packets get lost. Because the CISCO ACS is not so fast (> 300ms) this did not happen with ACS. regards, Arne Spetzler - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
