Hi, Since lighting up IPv6 on our FreeRADIUS infrastructure, I have noticed behaviour that seems to result in the following logic kicking off: ---- authorize { ...
update request { NAS-IPv6-Address = Packet-Src-IPv6-Address NAS-IP-Address = Packet-Src-IP-Address } ... } ----- So, when NAS-IP(v6)-Address already exists, nothing happens, however if it does, then it an attribute with the contents of Packet-Src-IP(v6)-Address is added; obviously depending on the socket type the packet arrives over so I am guessing in practice you probably really only see this when communicating with IPv6 proxies? The problem is, I have not added this type of thing to my config. Checking the raw packet captures show that the client is not setting NAS-IPv6-Address but by the time I sql log it in post-auth, it's there, set to Packet-Src-IPv6-Address :-/ Idea's and suggestions would be much obliged, comments regarding my use of NAS-(IP(v6)?-Address|Identifier) to /dev/null though, unless you have a better suggestion? ;) Cheers ---- dot1x related virtual servers ---- listen { type = auth port = 1812 ipv6addr = :: clients = dot1x } listen { type = auth port = 1812 ipaddr = * clients = dot1x } listen { type = acct port = 1813 ipv6addr = :: clients = dot1x } listen { type = acct port = 1813 ipaddr = * clients = dot1x } server lanwarden { .... } server eduroam { authorize { preprocess testers # braindead JANET PAP test hook if ((Hint) && Hint == test && !(EAP-Message)) { update control { Proxy-To-Realm := "auth.virtual" } handled } if (!(Hint) || Hint != test) { # detail.eduroam attr_filter.eduroam-auth } rewrite.called_station_id rewrite.calling_station_id client-info # let people know *which* box did the auth update reply { NAS-Identifier := "%{config:local.MY.hostname}" NAS-IP-Address := "%{config:local.MY.addr.v4}" NAS-IPv6-Address := "%{config:local.MY.addr.v6}" } # Reject EAP-less authentications if (!(EAP-Message)) { update reply { Reply-Message := "We only accept EAP requests" } reject } # Reject Calling-Station-Id-less authentications if (!(Calling-Station-Id)) { update reply { Reply-Message := "No Calling-Station-Id" } reject } if (!(User-Name)) { update reply { Reply-Message := "No User-Name" } reject } validate_username suffix # Reject realm's authentications that are not for us early if (Realm != "%{config:local.MY.realm}") { update reply { Reply-Message := "Not @%{config:local.MY.realm} User-Name" } reject } EAP { ok = return } ldap-lanwarden if (ok) { if (control:LanWarden-Host-State != "enable") { update reply { Reply-Message := "LW: disabled" } reject } # if ((EAP-Message)) { # cache_ldap-userdn # } } Autz-Type Status-Server { ok } } authenticate { Auth-Type EAP { EAP } } post-auth { Post-Auth-Type Reject { sql.dot1x attr_filter.access_reject eap-has-no-reply-message # detail.eduroam } # if ((EAP-Message) && !(Ldap-UserDn)) { # cache_ldap-userdn # } if (!(Hint) || Hint != test) { sql.dot1x } update reply { User-Name !* ANY } attr_filter.eduroam-auth eap-has-no-reply-message # if (!(Hint) || Hint != test) { # detail.eduroam # } } preacct { preprocess suffix } accounting { # detail.eduroam attr_filter.eduroam-acct rewrite.called_station_id rewrite.calling_station_id # Reject Calling-Station-Id-less authentications if (!(Calling-Station-Id)) { update reply { Reply-Message := "No Calling-Station-Id" } reject } if (!(User-Name)) { update reply { Reply-Message := "No User-Name" } reject } validate_username # Reject realm's authentications that are not for us early if (Realm != "%{config:local.MY.realm}") { update reply { Reply-Message := "Not @%{config:local.MY.realm} User-Name" } reject } detail.dot1x.acct } session { ok } } --------------------- ---- policy.conf ---- policy { mac-addr = ([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2}) rewrite.called_station_id { if((Called-Station-Id) && "%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?$/i) { update request { Called-Station-Id := "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" } # SSID componment? if ("%{7}") { update request { Called-Station-Id := "%{request:Called-Station-Id}%{7}" } } updated } else { noop } } rewrite.calling_station_id { if((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) { update request { Calling-Station-Id := "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" } update control { Local-MAC-Address := "%{tolower:%{1}%{2}%{3}%{4}%{5}%{6}}" } updated } else { noop } } rewrite.quirk.wlc { if (NAS-IP-Address == 172.16.3.124 && NAS-Identifier == "wlc-01") { switch "%{Airespace-Wlan-Id}" { case "1" { update request { NAS-Port-Id := "eduroam" } } case "5" { update request { NAS-Port-Id := "UTILICOM" } } case "6" { update request { NAS-Port-Id := "BTOpenzone" } } case "7" { update request { NAS-Port-Id := "soas-wpa-psk" } } case { update request { NAS-Port-Id := "UNKNOWN" } } } if (Packet-Type == "Accounting-Request") { update request { NAS-Port-Type := "Wireless-802.11" Called-Station-Id := "%{Called-Station-Id}:%{NAS-Port-Id}" } switch "%{Tunnel-Private-Group-Id}" { case "140" { update request { Tunnel-Private-Group-Id := "btopenzone" } } case "128" { update request { Tunnel-Private-Group-Id := "eduroam" } } case "127" { update request { Tunnel-Private-Group-Id := "unauthorised" } } case "72" { update request { Tunnel-Private-Group-Id := "users-unmanaged" } } case "153" { update request { Tunnel-Private-Group-Id := "utilicom" } } case { update request { Tunnel-Private-Group-Id := "UNKNOWN" } } } } updated } else { noop } } validate_username { if (User-Name !~ /@/ && User-Name =~ /^[[:graph:]]+$/) { ok } elsif (User-Name !~ /@.*@/ && User-Name =~ /^[[:graph:]...@[[:alnum:]-]+(\\.[[:alnum:]-]+)+$/) { ok } else { update reply { Reply-Message := "Invalid User-Name Syntax" } reject } } ldap-login { redundant-load-balance { ldap_login1 { $template ldap-failover } ldap_login2 { $template ldap-failover } } } ldap-lanwarden { redundant-load-balance { ldap_lanwarden1 { $template ldap-failover } ldap_lanwarden2 { $template ldap-failover } } } # RFC compliance eap-has-no-reply-message { if ((reply:EAP-Message)) { update reply { Reply-Message !* ANY } } } mac_auth { if (Realm == NULL && !(EAP-Message) && NAS-Port-Type == Ethernet \ && Service-Type == Call-Check \ && User-Name == "%{User-Password}" \ && User-Name =~ /^[0-9a-f]{12}$/i \ && Calling-Station-Id =~ /^([0-9a-f]{2})-([0-9a-f]{2})-([0-9a-f]{2})-([0-9a-f]{2})-([0-9a-f]{2})-([0-9a-f]{2})$/i \ && User-Name =~ /^%{1}%{2}%{3}%{4}%{5}%{6}$/i) { ok } else { noop } } lanwarden_vlan1 { update control { Tunnel-Private-Group-Id := "%{ldap_lanwarden1:ldap:///ou=Networks,ou=LanWarden,o=soas?cn?one?(&(objectClass=lanwardenNetwork)(member=%{control:Ldap-UserDn}))}" } if ((control:Tunnel-Private-Group-Id)) { ok } else { fail } } lanwarden_vlan2 { update control { Tunnel-Private-Group-Id := "%{ldap_lanwarden2:ldap:///ou=Networks,ou=LanWarden,o=soas?cn?one?(&(objectClass=lanwardenNetwork)(member=%{control:Ldap-UserDn}))}" } if ((control:Tunnel-Private-Group-Id)) { ok } else { fail } } lanwarden_vlan { if ((control:Ldap-UserDn)) { redundant-load-balance { lanwarden_vlan1 lanwarden_vlan2 } if (ok && control:Tunnel-Private-Group-Id != "") { update reply { Tunnel-Private-Group-Id := "%{control:Tunnel-Private-Group-Id}" } } else { noop } } else { noop } } client-info { if ((client:shortname)) { update request { NAS-Identifier := "%{client:shortname}" } } if ((client:vendor)) { update request { Huntgroup-Name := "%{client:vendor}" } } } testers { if ((User-Name == "testa...@soas.ac.uk" \ && NAS-IP-Address == 193.60.199.62 \ && NAS-Port == 1812) \ || (Connect-Info == "JANET Roaming test" \ && NAS-IP-Address == 127.0.0.1 \ && Calling-Station-Id == "02-00-00-00-00-01" \ && NAS-Port-Type == Wireless-802.11)) { update request { Hint := test Cleartext-Password := "%{config:local.test.password}" } } } } --------------------- ----- debug -X ------ rad_recv: Access-Request packet from host 2001:630:1:129::249 port 63536, id=88, length=212 User-Name = "foo...@soas.ac.uk" NAS-IP-Address = 10.6.0.12 NAS-Port = 2 NAS-Identifier = "10.6.0.11" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "001122334455" Called-Station-Id = "554433221100" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x020900061500 State = 0xd53f4a5ed2365f22247722c7299e5713 Vendor-14823-Attr-5 = 0x656475726f616d Vendor-14823-Attr-6 = 0x426564666f7264537175617265415033 Message-Authenticator = 0x26f56bb65ab36c9e1e997b7abd6ff3a9 Proxy-State = 0x4f53432d457874656e6465642d49643d363030 server eduroam { # Executing section authorize from file /etc/freeradius/sites-enabled/dot1x +- entering group authorize {...} ++[preprocess] returns ok ++- entering policy testers {...} +++? if ((User-Name == "testa...@soas.ac.uk" && NAS-IP-Address == 193.60.199.62 && NAS-Port == 1812) || (Connect-Info == "JANET Roaming test" && NAS-IP-Address == 127.0.0.1 && Calling-Station-Id == "02-00-00-00-00-01" && NAS-Port-Type == Wireless-802.11)) ?? Evaluating (User-Name == "testa...@soas.ac.uk" ) -> FALSE ?? Skipping (NAS-IP-Address == 193.60.199.62 ) ?? Skipping (NAS-Port == 1812) (Attribute Connect-Info was not found) ?? Evaluating (Connect-Info == "JANET Roaming test" ) -> FALSE ?? Skipping (NAS-IP-Address == 127.0.0.1 ) ?? Skipping (Calling-Station-Id == "02-00-00-00-00-01" ) ?? Skipping (NAS-Port-Type == Wireless-802.11) +++? if ((User-Name == "testa...@soas.ac.uk" && NAS-IP-Address == 193.60.199.62 && NAS-Port == 1812) || (Connect-Info == "JANET Roaming test" && NAS-IP-Address == 127.0.0.1 && Calling-Station-Id == "02-00-00-00-00-01" && NAS-Port-Type == Wireless-802.11)) -> FALSE ++- policy testers returns ok ++? if ((Hint) && Hint == test && !(EAP-Message)) ?? Evaluating (Hint) -> FALSE ? Skipping (Hint == test ) ?? Skipping (EAP-Message) ++? if ((Hint) && Hint == test && !(EAP-Message)) -> FALSE ++? if (!(Hint) || Hint != test) ?? Evaluating (Hint) -> FALSE ? Converting !FALSE -> TRUE ? Skipping (Hint != test) ++? if (!(Hint) || Hint != test) -> TRUE ++- entering if (!(Hint) || Hint != test) {...} [attr_filter.eduroam-auth] expand: %{Realm} -> +++[attr_filter.eduroam-auth] returns noop ++- if (!(Hint) || Hint != test) returns noop ++- entering policy rewrite.called_station_id {...} +++? if ((Called-Station-Id) && "%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?$/i) ?? Evaluating (Called-Station-Id) -> TRUE expand: %{Called-Station-Id} -> 554433221100 expand: policy.mac-addr -> policy.mac-addr expand: ^%{config:policy.mac-addr}(:(.+))?$ -> ^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$ ? Evaluating ("%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?$/i) -> TRUE +++? if ((Called-Station-Id) && "%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?$/i) -> TRUE +++- entering if ((Called-Station-Id) && "%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?$/i) {...} expand: %{1}-%{2}-%{3}-%{4}-%{5}-%{6} -> 55-44-33-22-11-00 expand: %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} -> 55-44-33-22-11-00 ++++[request] returns noop ++++? if ("%{7}") expand: %{7} -> ? Evaluating ("%{7}") -> FALSE ++++? if ("%{7}") -> FALSE ++++[updated] returns updated +++- if ((Called-Station-Id) && "%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?$/i) returns updated +++ ... skipping else for request 105: Preceding "if" was taken ++- policy rewrite.called_station_id returns updated ++- entering policy rewrite.calling_station_id {...} +++? if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) ?? Evaluating (Calling-Station-Id) -> TRUE expand: %{Calling-Station-Id} -> 001122334455 expand: policy.mac-addr -> policy.mac-addr expand: ^%{config:policy.mac-addr}$ -> ^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$ ? Evaluating ("%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE +++? if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE +++- entering if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) {...} expand: %{1}-%{2}-%{3}-%{4}-%{5}-%{6} -> 00-11-22-33-44-55 expand: %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} -> 00-11-22-33-44-55 ++++[request] returns updated expand: %{1}%{2}%{3}%{4}%{5}%{6} -> 001122334455 expand: %{tolower:%{1}%{2}%{3}%{4}%{5}%{6}} -> 001122334455 ++++[control] returns updated ++++[updated] returns updated +++- if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) returns updated +++ ... skipping else for request 105: Preceding "if" was taken ++- policy rewrite.calling_station_id returns updated ++- entering policy client-info {...} +++? if ((client:shortname)) ?? Evaluating (client:shortname) -> TRUE +++? if ((client:shortname)) -> TRUE +++- entering if ((client:shortname)) {...} expand: %{client:shortname} -> jrs.2.v6 ++++[request] returns updated +++- if ((client:shortname)) returns updated +++? if ((client:vendor)) ?? Evaluating (client:vendor) -> TRUE +++? if ((client:vendor)) -> TRUE +++- entering if ((client:vendor)) {...} expand: %{client:vendor} -> ++++[request] returns updated +++- if ((client:vendor)) returns updated ++- policy client-info returns updated expand: local.MY.hostname -> local.MY.hostname expand: %{config:local.MY.hostname} -> chlorine.it.soas.ac.uk expand: local.MY.addr.v4 -> local.MY.addr.v4 expand: %{config:local.MY.addr.v4} -> 212.219.238.70 expand: local.MY.addr.v6 -> local.MY.addr.v6 expand: %{config:local.MY.addr.v6} -> 2001:630:1b:6003:90c0:802a:d873:c284 ++[reply] returns updated ++? if (!(EAP-Message)) ?? Evaluating (EAP-Message) -> TRUE ? Converting !TRUE -> FALSE ++? if (!(EAP-Message)) -> FALSE ++? if (!(Calling-Station-Id)) ?? Evaluating (Calling-Station-Id) -> TRUE ? Converting !TRUE -> FALSE ++? if (!(Calling-Station-Id)) -> FALSE ++? if (!(User-Name)) ?? Evaluating (User-Name) -> TRUE ? Converting !TRUE -> FALSE ++? if (!(User-Name)) -> FALSE ++- entering policy validate_username {...} +++? if (User-Name !~ /@/ && User-Name =~ /^[[:graph:]]+$/) ? Evaluating (User-Name !~ /@/) -> FALSE ? Skipping (User-Name =~ /^[[:graph:]]+$/) +++? if (User-Name !~ /@/ && User-Name =~ /^[[:graph:]]+$/) -> FALSE +++? elsif (User-Name !~ /@.*@/ && User-Name =~ /^[[:graph:]...@[[:alnum:]-]+(\\.[[:alnum:]-]+)+$/) ? Evaluating (User-Name !~ /@.*@/) -> TRUE ? Evaluating (User-Name =~ /^[[:graph:]...@[[:alnum:]-]+(\\.[[:alnum:]-]+)+$/) -> TRUE +++? elsif (User-Name !~ /@.*@/ && User-Name =~ /^[[:graph:]...@[[:alnum:]-]+(\\.[[:alnum:]-]+)+$/) -> TRUE +++- entering elsif (User-Name !~ /@.*@/ && User-Name =~ /^[[:graph:]...@[[:alnum:]-]+(\\.[[:alnum:]-]+)+$/) {...} ++++[ok] returns ok +++- elsif (User-Name !~ /@.*@/ && User-Name =~ /^[[:graph:]...@[[:alnum:]-]+(\\.[[:alnum:]-]+)+$/) returns ok +++ ... skipping else for request 105: Preceding "if" was taken ++- policy validate_username returns ok [suffix] Looking up realm "soas.ac.uk" for User-Name = "foo...@soas.ac.uk" [suffix] Found realm "soas.ac.uk" [suffix] Adding Stripped-User-Name = "foobar" [suffix] Adding Realm = "soas.ac.uk" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok ++? if (Realm != "%{config:local.MY.realm}") expand: local.MY.realm -> local.MY.realm expand: %{config:local.MY.realm} -> soas.ac.uk ? Evaluating (Realm != "%{config:local.MY.realm}") -> FALSE ++? if (Realm != "%{config:local.MY.realm}") -> FALSE [EAP] EAP packet type response id 9 length 6 [EAP] Continuing tunnel setup. ++[EAP] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/dot1x +- entering group EAP {...} [EAP] Request found, released from the list [EAP] EAP/ttls [EAP] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake is finished [ttls] eaptls_verify returned 3 [ttls] eaptls_process returned 3 [ttls] Using saved attributes from the original Access-Accept User-Name = "foo...@soas.ac.uk" Auth-Type = MSCHAP [ttls] Saving response in the cache [EAP] Freeing handler ++[EAP] returns ok # Executing section post-auth from file /etc/freeradius/sites-enabled/dot1x +- entering group post-auth {...} ++? if (!(Hint) || Hint != test) ?? Evaluating (Hint) -> FALSE ? Converting !FALSE -> TRUE ? Skipping (Hint != test) ++? if (!(Hint) || Hint != test) -> TRUE ++- entering if (!(Hint) || Hint != test) {...} [sql.dot1x] expand: %{reply:User-Name} -> foo...@soas.ac.uk [sql.dot1x] expand: %{%{reply:User-Name}:-%{request:User-Name}} -> foo...@soas.ac.uk [sql.dot1x] sql_set_user escaped user --> 'foo...@soas.ac.uk' [sql.dot1x] expand: %{request:Packet-Src-IPv6-Address} -> 2001:630:1:129::249 [sql.dot1x] expand: %{NAS-Port} -> 2 [sql.dot1x] expand: %{reply:Auth-Type} -> MSCHAP [sql.dot1x] expand: INSERT INTO dot1x_auth ( timestamp, packet_src_address, user_name, realm, operator_name, nas_ip_address, nas_ipv6_address, nas_identifier, nas_port, nas_port_type, nas_port_id, called_station_id, calling_station_id, packet_type, eap_type, auth_type, tunnel_private_group_id, reply_message ) VALUES ( '%S'::timestamp, '%{%{request:Packet-Src-IPv6-Address}:-%{request:Packet-Src-IP-Address}}', '%{SQL-User-Name}', '%{request:Realm}', NULLIF('%{request:Operator-Name}', ''), NULLIF('%{request:NAS-IP-Address}', '')::inet, NULLIF('%{request:NAS-IPv6-Address}', '')::inet, '%{request:NAS-Identifier}', %{%{NAS-Port}:-NULL}::integer, '%{request:NAS-Port-Type}', NULLIF('%{request:NAS-Port-Id}',''), lower('%{request:Called-Station-Id}'), lower('%{request:Calling-Station-Id}'), '%{reply:Packet-Type}', '%{EAP-Type}', '%{%{reply:Auth-Type}:-%{control:Auth-Type}}', '%{reply:Tunnel-Private-Group-Id}', '%{reply:Reply-Message}' ) -> INSERT INTO! dot1x_auth ( timestamp, packet rlm_sql (sql.dot1x) in sql_postauth: query is INSERT INTO dot1x_auth ( timestamp, packet_src_address, user_name, realm, operator_name, nas_ip_address, nas_ipv6_address, nas_identifier, nas_port, nas_port_type, nas_port_id, called_station_id, calling_station_id, packet_type, eap_type, auth_type, tunnel_private_group_id, reply_message ) VALUES ( '2010-12-13 19:58:37'::timestamp, '2001:630:1:129::249', 'foo...@soas.ac.uk', 'soas.ac.uk', NULLIF('', ''), NULLIF('10.6.0.12', '')::inet, NULLIF('2001:630:1:129::249', '')::inet, 'jrs.2.v6', 2::integer, 'Wireless-802.11', NULLIF('',''), lower('55-44-33-22-11-00'), lower('00-11-22-33-44-55'), 'Access-Accept', 'EAP-TTLS', 'MSCHAP', '', '' ) rlm_sql (sql.dot1x): Reserving sql socket id: 4 rlm_sql_postgresql: Status: PGRES_COMMAND_OK rlm_sql_postgresql: query affected rows = 1 rlm_sql (sql.dot1x): Released sql socket id: 4 +++[sql.dot1x] returns ok ++- if (!(Hint) || Hint != test) returns ok ++[reply] returns ok [attr_filter.eduroam-auth] expand: %{Realm} -> soas.ac.uk attr_filter: Matched entry DEFAULT at line 1 ++[attr_filter.eduroam-auth] returns updated ++- entering policy eap-has-no-reply-message {...} +++? if ((reply:EAP-Message)) ?? Evaluating (reply:EAP-Message) -> TRUE +++? if ((reply:EAP-Message)) -> TRUE +++- entering if ((reply:EAP-Message)) {...} ++++[reply] returns updated +++- if ((reply:EAP-Message)) returns updated ++- policy eap-has-no-reply-message returns updated } # server eduroam Sending Access-Accept of id 88 to 2001:630:1:129::249 port 63536 NAS-IP-Address = 212.219.238.70 NAS-IPv6-Address = 2001:630:1b:6003:90c0:802a:d873:c284 MS-MPPE-Recv-Key = 0xfc5dc29f224e5ee815ece548d5df7442e12427c0b0bb8a8dc12ad8c16aeef0e8 MS-MPPE-Send-Key = 0xd092db1e188db46ba35491c99a7f0f9634b3de43e992a4fa3b56f64e75a3eaa1 EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x4f53432d457874656e6465642d49643d363030 Finished request 105. Going to the next request --------------------- -- Alexander Clouter .sigmonster says: Bo Derek ruined my life! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html