On Tue, Jan 4, 2011 at 2:40 PM, miha- <miha_zou...@hotmail.com> wrote: > Currently, there is a password matching issue because the User-Password > encoding is different during the Authentication from the Authorization. > During the Authentication step, the Centile's radius client send a > User-Password encrypted with the secret. > But during the Authorization step, we don't expect the Radius server to > check again this password (which is sent anyway, I don't know if this is a > bug or if it is required by Eyebill...).
So they deliberately do NOT encrypt password with the secret? That's just silly. They need to fix it. > The Authorization request contains the attribute Acct-Status-Type with the > value 17 that means "authorize only". Shouldn't it be RADIUS Attribute 6, Service-Type? http://www.ietf.org/assignments/radius-types/radius-types.xml > It also contains the attribute Message-Authenticator with the digest value. > So Freeradius should use those two attributes to accept or reject the > request instead of the User-Name and User-Password. If only "pap" is involved (which, from your debug log seems to be the case), you might be able to play with unlang and set Auth-Type := Accept for certain conditions (e.g. check whether Message-Authenticator exists, and whether it matches a certain value). http://wiki.freeradius.org/index.php/FAQ#How_do_I_permit_access_to_any_user_regardless_of_password.3F http://freeradius.org/radiusd/man/unlang.html -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html