additional reply attributes in EAP/TLS auth.
I use EAP/TLS authentication and want to add the Session-Timeout attribute to the authentication reply message. I changed my users file to : DEFAULT Auth-Type:=EAP Session-Timeout = 14400 That's all what's not commented out in my users file. I checked the whole debugging output, but there's no new attribute. What's wrong? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MPPE dynamic re-keying
Did I get this right? FreeRADIUS does send a dynamically created MPPE key once the authentication is performed. But there's no dynamic re-keying after certain time spans. Is that correct? And how hard is it to implement it, say with configurable time intervals? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Security flaw in EAP/TLS
I'm using EAP/TLS authentication with a aironet 350 ap and win2k client. The win2k client (as the nt client) allow to specify a login name different from the name within the certificate. Now, the user name in the cert is used for auth but the (different) login name is stored in the UserName attribute of my accounting table (MySql). If I know a valid user other than me, I can log in with my cert but let the other one pay for it. Is there a way to make sure that the user name and the login name are the same? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Odyssey Client EAP/TLS problem
Here's some more info on the problem I have: The client has a valid certificate, as well as the server. Both of them can validate each others certificate using a valid root certificate. However, the states of the second rad-access-cha packet of the server and the rad-access-req answer packet from the client do not match. The server cannot find a handler for the request (mem.c), more or less ignores this request, and does not receive any other answer, thus sends a rad-access-rej packet. How is the states of the two packets calculated? I guess the certificates are involved here, but they do not seem to be the problem anyway. In the first rad-access-req - rad-access-cha packet pair, the states do match, but I'm not sure if the certs are involved here already. Could the client (Odyssey) be the problem? I highly appreciate any comments. Klaus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Odyssey Client EAP/TLS problem
I have freeradius up and running. on the client side I use a odyssey client manager (newest version). Once I try the authentication messages are sent back and forth as I could see from the tcpdump trace. In short it looks like: radius: rad-access-req 198 [id 1] rad-access-cha 84 [id 1] rad-access-req 321 [id 0] rad-access-cha 1120 [id 0] rad-access-req 229 [id 1] rad-access-reject 20 [id 1] The debugging information from the radius server tell rlm_eap: Request not found in the list rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request modcall[authenticate]: module eap returns invalid modcall: group authenticate returns invalid auth: Failed to validate the user. Login incorrect Did anybody see this before and find a solution? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html