Hello,
I'm running freeradius-0.9.3 to authenticate wifi users using an CISCO
AP1100.
I've set up a user called 'wifi1' on radius server with next parameters:
wifi1 Auth-Type := eap, User-Password == "open"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-Filter-Id="161.out",
Framed-IP-Address = 10.172.108.1
My PC win2000 client witch a CISCO aironet card succeed LEAP
authentification,
but it gets another DHCP IP adress than the one i wanted set up on radius
server,
thru the Framed-IP-Address .
Here is the reply log when setting debug options:
/usr/local/sbin/radiusd -A -X ,
....
modcall: group post-auth returns ok for request 2
Sending Access-Accept of id 252 to 10.172.250.9:1645
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = 10.172.108.2
Cisco-AVPair +=
"leap:session-key=\207\330l\302\310\261\001\332\255dkCW\235\206\343e|o\010\3
52\007=W\273\273\266\377\367\352cV\334\032"
EAP-Message =
0x0208002511010018b1ce76cdba9d58eaa89e6675f2216f4aad194abc68bb99967769666932
Message-Authenticator = 0x00000000000000000000000000000000
Finished request 2
My CISCO AP is configured with:
radius-server host 10.172.102.71 auth-port 1812 acct-port 1813 key 7
13061E010803
radius-server retransmit 3
radius-server attribute 8 include-in-access-req
radius-server attribute 32 include-in-access-req format %h
radius-server authorization permit missing Service-Type
radius-server vsa send accounting
radius-server vsa send authentication
access-list 161 deny tcp any host 10.172.102.1 eq telnet log
I tried also a filter using access list 161, but it does not works too.
Do you think it is Cisco AP that prevents getting radius attributes
or did i miss something in freeradius conf ?
Regards,
--Bernard
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
