rlm_sql module. HELP !
hi ! I'm using freeradius 0.8.1 with mysql-3.23.49-3. It' s working ok, with authentication and accounting. but i'd like to add a SQL request in the sql.conf file ( accounting_stop_query ) the original query is : accounting_stop_query = UPDATE ${acct_table2} SET AcctStopTime = '%S', AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets = '%{Acct-Input-Octets}', AcctOutputOctets = '%{Acct-Output-Octets}', AcctTerminateCause = '%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}', ConnectInfo_stop = '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}' AND AcctStopTime = 0 and i'd like to add : UPDATE ${authreply_table} SET Value='%{Session-Timeout}' WHERE Username='%{SQL-User-Name}' AND Attribute='Session-Timeout' in the same accounting_stop_query.. .is it possible ? I tried to put a simple ; between the 2 requests, but it doesn't work. does anyone got a clue ? regards. --- CYBERDECK Solutions de bornes interactives - Kiosk solutions --- Richard Genoud Ingenieur RD --- 300 route nationale 6 - 69760 Limonest - France Tel. : 0820 820 107 - International +33 4 78 66 74 00 Fax : +33 4 78 66 74 69 [EMAIL PROTECTED] - www.cyberdeck.com --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Making FreeRadius
Hi, I'm trying to install freeRadius. I followed the instructions given in the web site www.missl.cs.umd.edu/wireless/eaptls. When I try to make, some errors were returned. The error returned was error [2] Therefore, i couldn't even get to the make install stage. The instructions mentioned that one solution to the problem (Linux system misdetecting the gethostbyadd_r() and gethostbyname_r() ) is radius-autoconf.h So, what i did was, to place radius-autoconf.hin /usr/src/802/radius/radiusd/src/include Then make again. But it doesn't seem to solve the problem. Can you help me? Regards, Lau - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: understanding MIBs (simultaneous use with cisco's)
On Wednesday, December 11, 2002, at 03:42 PM, Dan wrote: Well I got our AS5200s simultaneous use to work finally. congratulations Now the problem is the cisco 7500 we have for DSL. checkrad (running full debug mode on radius) shows no response The world is not perfect. :-))) What cause this no response?? An SNMP query?? it looks like the MIBs are wrong. so in this case I have two questions: 1. how do I find the correct MIBs? (yes, I could run SNMPwalk, but I have no idea what I'm doing with that) Follow the OID tree and hopefully you find via that the correct MIB module. 2. once I do have them, how do I put them into checkrad without wrecking the other cisco stuff (since they are both cisco) Why would such a box need the MIB modules?? I beleive you want to place the MIB module somewhere on your manager so your tools can do the translation on this side (not agent side). Specifics of how depends on your tools. I may (or may not) actually have a MIB string for the 7500, I don't undestand what this stuff means, so I don't know what to do with it You need to have a MIB module in order to know what a variable retrieved from an SNMP agent means. while on the topic of MIBs, can anyone tell me what this means or what it could be used for: 1.3.6.1.4.1.9.10.19.1.1.4.0:public@usernas2 The prefix '1.3.6.1.4.1' means enterprises. You could have found this easily yourselves by looking into RFCs that specify the MIB module language (SMI) or most books on the subject. After that you have an enterprise specific OID which is 10. That you can find in http://www.iana.org/assignments/enterprise-numbers 10 NSC John Lyman [EMAIL PROTECTED] That seems to be NSC. No clue who or which company this is, but you can try the email address that is the contact person. Possibly out of date. Via him you could maybe get the MIB module definitions or ask where you got the device from. Then the part '19.1.1.4.0' seems to specify some scalar variable in this domain. 'public' is the community '@usernas' I guess the hostname. I think this is the MIB for the IP pool on an AS500, which means it could be used to keep track of how many users are online. No clue. Hope this helps, Harrie -- Author of MOD-SNMP, enabling SNMP management of Apache HTTP server - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PEAP support
From: Ynjiun P. Wang [mailto:[EMAIL PROTECTED]] Sent: den 12 december 2002 00:51 To: Freeradius-Users@Lists. Cistron. Nl Subject: PEAP support Lars I am using the EAP-TLS code base and tweek it to work up to the point of finishing PEAP Part I. Now XP can talk to my prototype up to the Part I. Cool! Now I am getting into the Part II to send EAP packet under TLS tunnel. Could you suggest where to add the Part II code given the EAP-TLS code base? and how to bootstrap EAP code assuming everything recursively happening again? Sorry, I haven't had time to look closely at this. However, obviously you would like to hook into the rlm_eap module to be able to reuse the existing EAP machinery. I suspect you'll have to modify this module slightly to allow this. (PEAP is actually EAP-TLS-EAP, am I right?) I guess you could say that it is EAP-TLS-EAP-X, where X is any EAP method. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Making FreeRadius
Try here: http://www.oreilly.com/catalog/radius/chapter/ch05.html --- Secure Wireless Networking Now --- Glynn Taylor President WiFiConsulting, Inc. Web: http://www.WiFiConsulting.com http://www.HotSpotVPN.com --- Secure Wireless Networking Now --- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Lau Kin Hoong Sent: Thursday, December 12, 2002 5:34 AM To: [EMAIL PROTECTED] Subject: Making FreeRadius Hi, I'm trying to install freeRadius. I followed the instructions given in the web site www.missl.cs.umd.edu/wireless/eaptls. When I try to make, some errors were returned. The error returned was error [2] Therefore, i couldn't even get to the make install stage. The instructions mentioned that one solution to the problem (Linux system misdetecting the gethostbyadd_r() and gethostbyname_r() ) is radius-autoconf.h So, what i did was, to place radius-autoconf.hin /usr/src/802/radius/radiusd/src/include Then make again. But it doesn't seem to solve the problem. Can you help me? Regards, Lau - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
plperl function for Postgres 7.3 and cisco VSA date accounting
Hi Guys I thought someone might find this usefull. I use posgres and freeradius with modified queries to use the extended VSA start and stop times of a session to save EVER doing an update on your database (everything is an insert). This allows me to scale to approximately 500 times more accounting requests per DB than I would otherwise be able to do. However there is a nasty problem that when a cisco loses ntp time sync it starts outputting the datetime with a fullstop . in front to specifiy that the time may be wrong. This then means that inserts will fail as the data is no longer in valid date format. This function strips the fullstop. /* * --- Peter Nixon [ [EMAIL PROTECTED] ] * Remove . from the start of time fields (routers that have lost ntp timesync temporarily) * * Used as: * insert int mytable values (strip_dot('.16:46:02.356 EET Wed Dec 11 2002')); */ CREATE OR REPLACE function strip_dot (text) returns text as ' my $datetime = $_[0]; $datetime =~ s/^\\.*//; return $datetime; ' language 'plperl'; Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: plperl function for Postgres 7.3 and cisco VSA date accounting
On Thu, 12 Dec 2002 04:56 pm, Peter Nixon wrote: Hi Guys I thought someone might find this usefull. I use posgres and freeradius with modified queries to use the extended VSA start and stop times of a session to save EVER doing an update on your database (everything is an insert). This allows me to scale to approximately 500 times more accounting requests per DB than I would otherwise be able to do. However there is a nasty problem that when a cisco loses ntp time sync it starts outputting the datetime with a fullstop . in front to specifiy that the time may be wrong. This then means that inserts will fail as the data is no longer in valid date format. This function strips the fullstop. /* * --- Peter Nixon [ [EMAIL PROTECTED] ] * Remove . from the start of time fields (routers that have lost ntp timesync temporarily) * * Used as: * insert int mytable values (strip_dot('.16:46:02.356 EET Wed Dec 11 2002')); */ CREATE OR REPLACE function strip_dot (text) returns text as ' my $datetime = $_[0]; $datetime =~ s/^\\.*//; return $datetime; ' language 'plperl'; Come to think of it, the following is even more useful :-) CREATE OR REPLACE function strip_dot (text) returns timestamp as ' my $datetime = $_[0]; $datetime =~ s/^\\.*//; return $datetime; ' language 'plperl'; -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Realms and SQL
At 05:57 PM 12/12/2002 +1100, Alan Wong wrote: Dear all, I was just wondering when I set up realms through the proxy.conf file how do I specify when it gets authenticated locally that it will check the SQL Database. At the moment in the proxy.conf file it has realm paris { type = radius authhost= LOCAL accthost= LOCAL } I want it to authenticate against the mysql database instead of the user file currently specified. Sorry I have tried a few different combinations and have read the mailing list but the threads I have read has either no responses or responses that are vague. Not sure what is confusing about it. And you don't want to actually authenticate against the mysql database. What you want to do is retrieve the users password from the database. You'll need to add an 'sql' module instance to your 'authorize' block and remove the 'files' module instance to use one over the other. You should not need to change anything in the 'authenticate' block. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to use Calling-Station-Id to filter client's MAC
At 03:30 PM 12/12/2002 +0800, Kevin wrote: Could you tell more detail about this subjects,thanks a lot. This my configuration in users test Auth-Type := EAP,User-Password test, Calling-Station-Id = aa-bb-cc-dd-ee-ff Service-Type = Call-Check This is the debug message snip The debug message shows only the EAP call. It is useless to debug the MAC question as you have helpfully cut off the part of the debug where it prints the attributes received from your NAS. Also, you need to read the other error messages it prints about the 'operators' you are using in the check items for that profile. *READ* the debug output. It *will* tell you what it is doing and why it is doing it. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql module. HELP !
At 10:13 AM 12/12/2002 +0100, Genoud Richard wrote: hi ! I'm using freeradius 0.8.1 with mysql-3.23.49-3. It' s working ok, with authentication and accounting. but i'd like to add a SQL request in the sql.conf file ( accounting_stop_query ) the original query is : accounting_stop_query = UPDATE ${acct_table2} SET AcctStopTime = '%S', AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets = '%{Acct-Input-Octets}', AcctOutputOctets = '%{Acct-Output-Octets}', AcctTerminateCause = '%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}', ConnectInfo_stop = '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}' AND AcctStopTime = 0 and i'd like to add : UPDATE ${authreply_table} SET Value='%{Session-Timeout}' WHERE Username='%{SQL-User-Name}' AND Attribute='Session-Timeout' in the same accounting_stop_query.. .is it possible ? I tried to put a simple ; between the 2 requests, but it doesn't work. does anyone got a clue ? Not presently. You can create another instance of an 'sql' module that executes the second accounting query. IE: sql SQL1 { } sql SQL2 { } accounting { acct_unique detail SQL1 SQL2 } -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Making FreeRadius
At 06:33 PM 12/12/2002 +0800, Lau Kin Hoong wrote: Hi, I'm trying to install freeRadius. I followed the instructions given in the web site www.missl.cs.umd.edu/wireless/eaptls. When I try to make, some errors were returned. The error returned was error [2] Therefore, i couldn't even get to the make install stage. The instructions mentioned that one solution to the problem (Linux system misdetecting the gethostbyadd_r() and gethostbyname_r() ) is radius-autoconf.h So, what i did was, to place radius-autoconf.hin /usr/src/802/radius/radiusd/src/include Then make again. But it doesn't seem to solve the problem. Can you help me? Post the error message and we can try. Without the actual error message, it is very difficult to help. Describe your system ( os, cpu arch, ... ), what your result was when you ran './configure', if you specified any argurments to './configure', and the actual output of 'make' where it fails for you. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql module. HELP !
Chris Parker a écrit: Not presently. You can create another instance of an 'sql' module that executes the second accounting query. IE: sql SQL1 { } sql SQL2 { } accounting { acct_unique detail SQL1 SQL2 } thank you ! that's a much better idea than mine ! ( i was so desesperate that i modified the source code of the rlm_sql module... i'm quite proud of that indeed...) regards. -- --- CYBERDECK Solutions de bornes interactives --- Richard Genoud Ingenieur RD --- 300 route nationale 6 - 69760 Limonest - France Tel. : 0820 820 107 - International +33 4 78 66 74 00 Fax : +33 4 78 66 74 69 [EMAIL PROTECTED] - www.cyberdeck.com --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ip addressing
I am moving from a linux based commserver with digi ras cards in it to a cisco as5400 and I'm going to run freeradius on the linux box. for the linux commserver i developed a web based interface for user administration which updated /etc/passwd and a pap-secrets file. Those users who would get a static ip address had that address placed the the gcos (comments) field in /etc/passwd along with the pap-secrets file. It looks to me like I'll have to put a seperate user entry in the raddb/users file in order to assign a static ip address. Is that the case or is there some way for me to use a DEFAULT entry and have the Framed-IP-Address attribute be the result of a script or something? Thanks... -- Scott Knight, Network Analyst - SSM Health Care, Information Center email: [EMAIL PROTECTED] + phone: 314.644.7344 + fax: 314.647.1037 Dad, when you come home with only shattered pieces of your dreams, your little one can mend them like new with two magic words - 'Hi Dad!' - Alan Beck in Fathers and Sons - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Webpage redirect
Hello Chris, I'm not sure if I post the details to the mailing-list, but I'm using the following RAS: - Lucent PortMaster 3 (22 units) - Lucent/Ascend Max6000 (4 units) - MaxTNT (1 unit) I was guessing if Cisco would do the trick - it does a lot of tricks. But I have only Cisco routers in the ISP, no RAS :-( I was also guessing that it's out of the Radius scope. There's no way to interact Radius filter with http functions, like web redirect via proxy. Too sad. I'm working in a log-parser to extract "filtered" login/phone number from the log, and sent it to my helpdesk crew - and they will call the "filtered" customers. Not so elegant, but it's the most effective I can do now... Again, thanks for the support. Fernando.
Re: Webpage redirect
At 03:15 PM 12/12/2002 -0300, Fernando Teodoro wrote: Hello Chris, I'm not sure if I post the details to the mailing-list, but I'm using the following RAS: - Lucent PortMaster 3 (22 units) EOL product, but this is capable of doing what you want, if you can find the docs to configure it. - Lucent/Ascend Max6000 (4 units) EOL announced for this product, not cable of doing what you want anyway. - MaxTNT (1 unit) EOL not announced yet for this product ( that I know ), but expect it to go the way of the 6000 shortly ( Lucent wants to push the APX line ). I was guessing if Cisco would do the trick - it does a lot of tricks. But I have only Cisco routers in the ISP, no RAS :-( Cisco was one example. Other NAS ( such as the PM3 ) are also capable. I was also guessing that it's out of the Radius scope. There's no way to interact Radius filter with http functions, like web redirect via proxy. Too sad. I'm working in a log-parser to extract filtered login/phone number from the log, and sent it to my helpdesk crew - and they will call the filtered customers. Not so elegant, but it's the most effective I can do now... Something that all of the nas you listed can do fairly easily is apply a packet filter via RADIUS ( Filter-ID ). This could block port 80 traffic from going anywhere except the proxy server. You apply it selectively to the users you want. If they don't have proxy settings, they won't be able to surf the web, so they'll likely call your NOC. Your NOC can then tell them to add the proxy settings and VOILA. Many ways to skin the cat on this one. Tranparent proxying is nice, but in practice it can be difficult to setup and maintain, especially across a multi-nas environment. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Webpage redirect
EOL product, but this is capable of doing what you want, if you can find the docs to configure it. The magic can be done with PM3? Sounds great, it's the model for most of my RAS. I'll search about it, so. Do you know how this function (redirect according filter) is called? Something that all of the nas you listed can do fairly easily is apply a packet filter via RADIUS ( Filter-ID ). This could block port 80 traffic from going anywhere except the proxy server. You apply it selectively to the users you want. If they don't have proxy settings, they won't be able to surf the web, so they'll likely call your NOC. Your NOC can then tell them to add the proxy settings and VOILA. I'm using Filter-ID; filtered customers have only access to my webserver and mail server (I'm also trying to discover how limit the daily usage to 30 minutes) The problem is my ISP was working together with another ISP, and now this fellowship has been broke apart. So, when I restrict my customers to only my webpage (where there's a message telling the story, with a link to validate their accounts), they must ACTIVELLY open the browser and go to my website (could be a proxy, which I'm not using at this time), to read the message. Therefore, if they can't go anywhere else in web, there's 50% chance they'll call my NOC, and 50% chance they'll call the other NOC (the other ISP) What a puzzle! Fernando - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
CDMA28826368636
CDMA°üÔ¿¨°üº¬ÊÐÇøÄÚ´ò½ø´ò³öµÄ»°·Ñ£¨²»º¬³¤Í¾·Ñ£¬ºÍ¶ÌÐÅÏ¢£©£ºÊÖÐø·Ñ300Ôª Êл°Í¨500ÔªËÍ400»°·Ñ ÏêÇéÇëµç26368636×Éѯ
cisco-avpair
dear all, i see at cisco log example : .. May 26 02:03:45.615:RADIUS:Received from id 2 1.13.84.100:1645, Access-Accept, len 160 May 26 02:03:45.615:Attribute 26 26 000967146833 May 26 02:03:45.615:Attribute 26 30 00096B186833 May 26 02:03:45.615:Attribute 26 36 0009651E6833 May 26 02:03:45.615:Attribute 26 23 00096D116269 May 26 02:03:45.615:Attribute 26 25 00096E136375 May 26 02:03:45.615:RADIUS:saved authorization data for user 624E9550 at 62512AA8 May 26 02:03:45.615:RADIUS:cisco AVPair :h323-return-code=0 May 26 02:03:45.615:RADIUS:cisco AVPair :h323-preferred-lang=en May 26 02:03:45.615:RADIUS:cisco AVPair :h323-credit-amount=10.00 May 26 02:03:45.615:RADIUS:cisco AVPair :h323-billing-model=1 May 26 02:03:45.615:RADIUS:cisco AVPair :h323-currency=USD May 26 02:03:45.615:AAA/MEMORY:free_user (0x624E9550) user='001234' ruser='' port='' rem_addr='101000' authen_type=ASCII service=LOGIN priv=0 but my freeradius don't send cisco avpair (vsa info). why? Regards, Tjenen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cisco-avpair
At 04:59 AM 12/13/2002 +0700, betux wrote: dear all, i see at cisco log example : snip but my freeradius don't send cisco avpair (vsa info). Debug info from FreeRADIUS would be more helpful in figuring out the problem than debugging info from the NAS. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cisco-avpair
i try test my freeradius with radtest and access accept. but info radius.log just said :Pairs do not match for user [2101704] is it caused because wrong reply attribute? Regards, Tjenen On Friday 13 December 2002 05:04, Chris Parker wrote: At 04:59 AM 12/13/2002 +0700, betux wrote: dear all, i see at cisco log example : snip but my freeradius don't send cisco avpair (vsa info). Debug info from FreeRADIUS would be more helpful in figuring out the problem than debugging info from the NAS. -Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
A question about EAP-MD5.....
sorry. I am CEFIRO C. I have some troubleduring setup Winxp AP ---RADIUS Server,ask for your help... I have similar environment setting with you, using EAP-MD5, radiusd -X have the following message, I don't know what it meaning about " invalid Message-Authenticator " My environment setup as follows (1) supplicant : winxp 10.0.5.222 (2) authenticator:AP 10.0.5.221 (3) authentication server: Linux Redhat 8.0 + RADIUS10.0.5.223 (version : freeradius-snapshot-20021118) radiusd -X output rad_recv : Access-Request packet from host 10.0.5.221 : 1025, id=1, length =161 Received packet from 10.0.5.221 with invalid Message-Authenticator! Server rejecting request0. Finished request 0 Going to tje net request --- Walking the entire request list --- .. .. nothing to do. Sleeping until we see a request. --- thanks for your help..
Re: A question about EAP-MD5.....
hi comments below. AP --- RADIUS Server , ask for your help... I have similar environment setting with you, using EAP-MD5, radiusd -X have the following message, I don't know what it meaning about invalid Message-Authenticator My environment setup as follows (1) supplicant : winxp 10.0.5.222 (2) authenticator:AP 10.0.5.221 (3) authentication server: Linux Redhat 8.0 + RADIUS 10.0.5.223 (version : freeradius-snapshot-20021118) radiusd -X output -- --- rad_recv : Access-Request packet from host 10.0.5.221 : 1025, id=1, length =161 Received packet from 10.0.5.221 with invalid Message-Authenticator! Server rejecting request 0. Finished request 0 Going to tje net request --- Walking the entire request list --- .. .. nothing to do. Sleeping until we see a request. two possibilities (either...or) 1. your radius password is NOT the same in the client (authenticator) and server for this client (FR), s. clients.conf and the config of your authenticator. 2. your authenticator is a crap (tm) alan and doesn't know how to produce a radius-conform message authenticator. i bet for 1. ciao artur -- Artur Hecker Groupe Acce`s et Mobilite' hecker[at]enst[dot]fr De'partement Informatique et Re'seaux +33 1 45 81 750746, rue Barrault 75634 Paris cedex 13 http://www.infres.enst.fr ENST Paris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html