Re: FreeRadius authentication problems

2012-12-04 Thread Primož Marinšek 
On 4 December 2012 08:32, Taneli Virtanen  wrote:
> So, apparently it never actually does connect to it, but since the
> authentication happens OK on the FreeRadius side, I'm left to believe that
> it is in fact Ruckus who isn't happy with me trying to join the network.

I'm still a big noob with freeRADIUS but I will say that it works ok
as I know that smart people are coding it. I've seen ZD work with
freeRADIUS and other RADIUS's with no issues at all also, so please
tell me which FW you are running on the ZD?


--
Primož Marinšek
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius authentication problems

2012-12-04 Thread Phil Mayers 

On 12/04/2012 07:32 AM, Taneli Virtanen wrote:

User[client mac address] fails authentication too many times in a row
when joining WLAN[opetus-x/opetusx] at AP[ap1
].
User[client mac address] is temporarily blocked from the system for [30
seconds].

Ok, after doing some searching I found more comprehensive logs on Ruckus
which reveal the previous lines when trying to connect to the radius
network.

So, apparently it never actually does connect to it, but since the
authentication happens OK on the FreeRadius side, I'm left to believe
that it is in fact Ruckus who isn't happy with me trying to join the
network.



It might be EAP-identity packets hitting timeout/retry limits, due to 
wireless-level problems (interference, poor signal). This is very 
common, and lots of people tend to "associate" (pardon the pun) the 
problem with authentication, but in truth the identity request is really 
"just prior" to auth starting. It's only once the client sends an 
identity response that EAP gets started.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Radius Code set to 2??

2012-12-04 Thread ashok kumar 
Hey folks,

I have and AP from which I get a RADIUS message with code field set to 2.
It was received from on port 1812.

Can anybody tell me the significance of this problem because when I change
the APs everything works fine. I need to ascertain whether any
configuration change is required on AP/ Radius server.

Awaiting your useful suggestions.

Thanks in advance

Regards,

Ashok Kumar.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Radius Code set to 2??

2012-12-04 Thread Arran Cudbard-Bell 

On 4 Dec 2012, at 10:14, ashok kumar  wrote:

> Hey folks,
> 
> I have and AP from which I get a RADIUS message with code field set to 2. It 
> was received from on port 1812.
> 
> Can anybody tell me the significance of this problem because when I change 
> the APs everything works fine. I need to ascertain whether any configuration 
> change is required on AP/ Radius server.

Your AP is broken. It shouldn't be sending Access-Accepts to the RADIUS 
server...

-Arran
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Segmentation fault

2012-12-04 Thread Manuel Campana 
Hello

I'm quite new to freeradius and I experienced my first issue right away
after trying the first attempt.
If I run a quick test on localhost I get a segmentation fault

Tue Dec  4 10:17:11 2012 : Debug: Listening on authentication address *
port 1812
Tue Dec  4 10:17:11 2012 : Debug: Listening on accounting address * port
1813
Tue Dec  4 10:17:11 2012 : Debug: Listening on authentication address
127.0.0.1 port 18120 as server inner-tunnel
Tue Dec  4 10:17:11 2012 : Debug: Listening on proxy address * port 1814
Tue Dec  4 10:17:11 2012 : Info: Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 53330, id=88,
length=77
User-Name = "testing"
User-Password = "password"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x0d49f27be8b1d4bd1f5c5345041acde7
Tue Dec  4 10:17:16 2012 : Info: # Executing section authorize from file
/etc/freeradius/sites-enabled/default
Tue Dec  4 10:17:16 2012 : Info: +- entering group authorize {...}
Segmentation fault



This si the freeradius version installed on my debian machine

freeradius: FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built
on Sep 11 2012 at 17:06:46

The configuration seems to be ok so I don't know why I get this. Anyone can
help me?

Thanks

Br
Manuel

-- 
*Manuel Campana*
Technical Support Engineer
Accedian Networks
T: 514 331 6181 x463
E: mcamp...@accedian.com
@Accedian

-- 


Avis de confidentialité

Les informations contenues dans le présent message et dans toute pièce qui 
lui est jointe sont confidentielles et peuvent être protégées par le secret 
professionnel. Ces informations sont à l’usage exclusif de son ou de ses 
destinataires. Si vous recevez ce message par erreur, veuillez s’il vous 
plait communiquer immédiatement avec l’expéditeur et en détruire tout 
exemplaire. De plus, il vous est strictement interdit de le divulguer, de 
le distribuer ou de le reproduire sans l’autorisation de l’expéditeur. 
Merci.

Confidentiality notice

This e-mail message and any attachment hereto contain confidential 
information which may be privileged and which is intended for the exclusive 
use of its addressee(s). If you receive this message in error, please 
inform sender immediately and destroy any copy thereof. Furthermore, any 
disclosure, distribution or copying of this message and/or any attachment 
hereto without the consent of the sender is strictly prohibited. Thank you.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

AW: Re: Radius Code set to 2??

2012-12-04 Thread Matthias Nagel 
Hello,
some APs have the option to work as a RADIUS proxy. Perhaps the AP is not 
actually broken, but only wrongly configured.
Matthias


Matthias Nagel
Willy-Andreas-Allee 1, Zimmer 506
76131 Karlsruhe

Telefon: +49-721-8695-1506
Mobil: +49-151-15998774
ICQ: 499797758
Skype: nagmat84Arran Cudbard-Bell  hat geschrieben:
On 4 Dec 2012, at 10:14, ashok kumar  wrote:

> Hey folks,
> 
> I have and AP from which I get a RADIUS message with code field set to 2. It 
> was received from on port 1812.
> 
> Can anybody tell me the significance of this problem because when I change 
> the APs everything works fine. I need to ascertain whether any configuration 
> change is required on AP/ Radius server.

Your AP is broken. It shouldn't be sending Access-Accepts to the RADIUS 
server...

-Arran
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Radius Code set to 2??

2012-12-04 Thread Arran Cudbard-Bell 

On 4 Dec 2012, at 12:31, Matthias Nagel  wrote:

> Hello,
> some APs have the option to work as a RADIUS proxy. Perhaps the AP is not 
> actually broken, but only wrongly configured.
> Matthias

So the RADIUS server sent an Access-Request via the AP? Why would it be doing 
that?

-Arran
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Segmentation fault

2012-12-04 Thread Arran Cudbard-Bell 
Hi Manuel,

Please read through the wiki page on bug reports: 
http://wiki.freeradius.org/project/bug-reports

-Arran
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: share variables in perl script (rlm_perl)

2012-12-04 Thread laurent . feron 
Hello, thanks for your respond. I tried memcached as suggested by John Denins. 
Seems working very well.
i thought of Redis, if memcached does not satisfied me (i don't see), Redis 
could be an option.
In term of security, i have to be sure that information in memcached can be 
secured, and not public.
Regards,
Laurent

- Mail original -
De: "Iliya Peregoudov" 
À: "FreeRadius users mailing list" 
Envoyé: Mardi 4 Décembre 2012 08:14:13
Objet: Re: share variables in perl script (rlm_perl)

Arran Cudbard-Bell wrote:
> On 29 Nov 2012, at 22:14, laurent.fe...@free.fr wrote:
> 
>> Hello,
>>
>> In a perl script (where authorize() and authenticate() are defined), i was 
>> able to set a global variable. when a radius request comes, the script may 
>> modify the variable, and the next request has the new value. I test with 
>> radiusd -X, and everything is fine.
>>
>> when radiusd is started as a daemon, 5 threads (default value) are started. 
>> And now, i understood i have 5 different perl "environments".
>> Meaning, when i start the first radtest that modifies the global variable, 
>> only the sixth request can view the global variable modified by the first 
>> request( i guess the sixth one turns into the first thread).
>>
>> I hope my explanation is clear. I would like to know if it possible to have 
>> a unique sharing enviroment (the basic solution is maybe to have only one 
>> thread, but it should be good for performance)
> 
> No, submit patches if you want this functionality.

You can explicitly share data between perl interpreters. However you'll 
need to explicitly lock shared data. See perldoc threads::shared for 
details.

use threads;
# this module contains share() and lock()
use threads::shared;

# hashes get empty on share
my %sharedhash;
share(%sharedhash);

sub put($$) {
my ($key, $value) = @_
lock(%sharedhash);
$sharedhash{$key} = share($value);
return;
}
sub get($) {
my ($key) = @_;
lock(%sharedhash);
my $value = $sharedhash{$key};
return $value;
}

But I think it's better to store shared data in some sort of storage, 
for example redis or sql database.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: share variables in perl script (rlm_perl)

2012-12-04 Thread John Dennis 

On 12/04/2012 09:30 AM, laurent.fe...@free.fr wrote:

Hello, thanks for your respond. I tried memcached as suggested by John Denins. 
Seems working very well.
i thought of Redis, if memcached does not satisfied me (i don't see), Redis 
could be an option.
In term of security, i have to be sure that information in memcached can be 
secured, and not public.


The simplest and most secure way to secure memcached is by using unix 
sockets if your memcached instance is running on the same machine as 
your memcache clients (e.g. radiusd). The memcache data won't be 
accessible remotely because memcached is not listening on an inet 
socket. Use appropriate ownership and permissions on the socket file.



--
John Dennis 

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

AW: AW: EAP-TLS Failed in handler question

2012-12-04 Thread PENZ Robert 
Hi!



I was still not able to get a trace on the client site, but I believe these 
debug log entries should help. This time I got the start packet and it is 
within some seconds that I get the 2 packet to the radius server and the State 
variable seems to be the same.



Ready to process requests.

rad_recv: Access-Request packet from host 10.xx.xx.5 port 54217, id=11, 
length=152

User-Name = "host/x.local"

EAP-Message = 
0x02ff002101686f73742f4456542d303039363832322e7469726f6c2e6c6f63616c

NAS-IP-Address = 10.xx.xx.5

Service-Type = Login-User

Calling-Station-Id = "xx-xx-xx-xx-xx-xx"

NAS-Port-Id = "1:29"

NAS-Port = 1029

NAS-Port-Type = Ethernet

Message-Authenticator = 0xd080844ef3e47a9bc21e8c848b5a8548

..

[eap] EAP packet type response id 255 length 33

[eap] No EAP Start, assuming it's an on-going EAP conversation

+++[eap] returns updated

++- else else returns updated

Found Auth-Type = EAP

# Executing group from file /etc/raddb/sites-enabled/default

+- entering group EAP {...}

[eap] EAP Identity

[eap] processing type tls

[tls] Requiring client certificate

[tls] Initiate

[tls] Start returned 1

..

Sending Access-Challenge of id 11 to 10.xx.xx.5 port 54217

EAP-Message = 0x01060d20

Message-Authenticator = 0x

State = 0x642534cc642539e20b4be1e3ae0328c0

Finished request 62603.

Going to the next request

Waking up in 4.9 seconds.

rad_recv: Access-Request packet from host 10. xx.xx.5 port 54217, id=12, 
length=242

User-Name = "host/x.tirol.local"

EAP-Message = 
0x02ff00690d80005f160301005a0156030150bd9377fb696c9f5eaedc568220f9aa35ab65930cf2232f4131c054b056295418002f00350005000ac013c014c009c00a00320038001300040115ff0100010a0006000400170018000b00020100

NAS-IP-Address = 10.xx.xx.5

Service-Type = Login-User

Calling-Station-Id = "xx-xx-xx-xx-xx-xx"

NAS-Port-Id = "1:29"

NAS-Port = 1029

NAS-Port-Type = Ethernet

State = 0x642534cc642539e20b4be1e3ae0328c0

Message-Authenticator = 0xeada93f9da1ca47a6f0325e8ad0414a9

...

[eap] EAP packet type response id 255 length 105

[eap] No EAP Start, assuming it's an on-going EAP conversation

+++[eap] returns updated

++- else else returns updated

Found Auth-Type = EAP

# Executing group from file /etc/raddb/sites-enabled/default

+- entering group EAP {...}

rlm_eap: No EAP session matching the State variable.

[eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request

[eap] Failed in handler

++[eap] returns invalid



There is no other packet between this two and only 5 seconds, server has not 
been restarted.



Robert





-Ursprüngliche Nachricht-
Von: freeradius-users-bounces+robert.penz=tirol.gv...@lists.freeradius.org 
[mailto:freeradius-users-bounces+robert.penz=tirol.gv...@lists.freeradius.org] 
Im Auftrag von PENZ Robert
Gesendet: Dienstag, 27. November 2012 17:38
An: FreeRadius users mailing list
Betreff: AW: AW: EAP-TLS Failed in handler question



> > With first packet I meant first packet the radius server saw in some time 
> > ... the switch forces a reauthentification every 2h

> A re-auth is a fresh EAP session. So even on a re-auth, the first packet

> would not have a "State" attribute, absent software bugs.



ok



> >> It *could* be that the client just got stuck and is responding (very)

> >> late. But I'm quite surprised the NAS didn't timeout the EAP auth before

> >> that.

> >

> > We're running Extreme Networks Switches with following timers set:

> >

> > configure netlogin dot1x timers quiet-period 30

> > configure netlogin dot1x timers reauth-period 7200

> We run SummitX edge, and when I've tested dot1x netlogin in the past, I

> haven't seen this issue. We've never widely deployed it, however, so

> it's possible there's an XOS bug where a small percentage of re-auths

> erroneously re-use the "State". You'd need to get a packet capture to be

> sure.



ok ... will try to get one .. is not easy ...



> > but reject means the switch sets the port to the guest vlan, and therefor 
> > the PC loses the connections ... is there a way to request a new full 
> > eap/tls handshake from the client?

>

> You're not understanding, or I'm not making myself clear.

>

> Suggestion: fire up wireshark, and take a careful look at a normal EAP

> authentication. You'll see that the first packet is an EAP-Identity

> without a "State" attribute, which the server responds to with an

> Access-Challenge containing the default eap type "start" payload, and a

> "State" attribute.

>

> Are you *absolutely sure* that these packets are really the first RADIUS

> packet in the auth/re-auth?



will check again and get back to you



> If you're sure, your problem seems to be that the correct first packet

> isn't being sent; the switch is j

Originating CoA

2012-12-04 Thread amanda edades 
Hello,

I am trying to use my RADIUS server to designate user group memberships
specifying QoS policies and monthly data caps.  When authenticating, the
server returns an AVP that tells what group a user is in, and the NAS will
apply the associated QoS policies to his traffic.  The RADIUS server checks
if a user is over his data cap on every Access-Request and Interim-Update
packet.  When the user exceeds the data cap defined for his group, the
RADIUS server originates a CoA and sends a new group assignment in which
his traffic is throttled.

Everything works fine now, but if the RADIUS server finds that a user is
over his cap, it first returns its default group assignment taken from the
radgroupreply table, then sends a CoA.

Output from RADIUS:
Sending Accounting-Response of id 122 to 127.0.0.1 port 33544
Access-Group = "Group1"
  WARNING: Empty pre-proxy section.  Using default return values.
Sending CoA-Request of id 223 to 127.0.0.1 port 3799
User-Name = "1907444"
Access-Group = "ThrottledGroup"
Finished request 8.

So the NAS receives the default group assignment, then the throttled group
assignment immediately after.  To avoid confusion and transmitting
unnecessary data, in the case when a data cap is exceeded, how to I prevent
the RADIUS server from returning the default values from the radgroupreply
table, and only send the CoA?

Thank you,

Amanda
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: AW: AW: EAP-TLS Failed in handler question

2012-12-04 Thread Phil Mayers 

On 12/04/2012 03:59 PM, PENZ Robert wrote:


There is no other packet between this two and only 5 seconds, server has
not been restarted.


Weird.

But we need the *full* debug please!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Redundant Freeradius

2012-12-04 Thread fknet 
Thanks Fajar, I'm not an real DBA, but I've worked with mysql for some 
years.


I'll do some tests.

Fabricio

Em 03/12/2012 10:05, Fajar A. Nugraha escreveu:

On Mon, Dec 3, 2012 at 6:52 PM, fknet  wrote:

Thanks Fajar!

I'm not an expertise, but I know how to work with a database, I've done this
for some years.

My doubt is about the replication of radacct specifically.

If you're familiar with master-master replication, and know how to
work around duplicate unique key (e.g. with mysql's "INSERT .. on
DUPLICATE KEY UPDATE ...", ignoring selective replication errors,
etc.), then you should be good to go. Otherwise, hire someone who
does, or do lots of experiments until you're satisfied with the
result.



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Originating CoA

2012-12-04 Thread Arran Cudbard-Bell 

On 4 Dec 2012, at 18:14, amanda edades  wrote:

> Hello,
> 
> I am trying to use my RADIUS server to designate user group memberships 
> specifying QoS policies and monthly data caps.  When authenticating, the 
> server returns an AVP that tells what group a user is in, and the NAS will 
> apply the associated QoS policies to his traffic.  The RADIUS server checks 
> if a user is over his data cap on every Access-Request and Interim-Update 
> packet.  When the user exceeds the data cap defined for his group, the RADIUS 
> server originates a CoA and sends a new group assignment in which his traffic 
> is throttled.
> 
> Everything works fine now, but if the RADIUS server finds that a user is over 
> his cap, it first returns its default group assignment taken from the 
> radgroupreply table, then sends a CoA.
> 
> Output from RADIUS:
> Sending Accounting-Response of id 122 to 127.0.0.1 port 33544
> Access-Group = "Group1"
>   WARNING: Empty pre-proxy section.  Using default return values.
> Sending CoA-Request of id 223 to 127.0.0.1 port 3799
> User-Name = "1907444"
> Access-Group = "ThrottledGroup"
> Finished request 8.
> 
> So the NAS receives the default group assignment, then the throttled group 
> assignment immediately after.  To avoid confusion and transmitting 
> unnecessary data, in the case when a data cap is exceeded, how to I prevent 
> the RADIUS server from returning the default values from the radgroupreply 
> table, and only send the CoA?

Add a group check item for the user not being over the limit? 

-Arran

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Define New Attribute

2012-12-04 Thread Alexandre J. Correa (Onda) 

Hello,

I need to track some type of 'user group'. i´m doing this to not 
overload my database servers.


into the radgroupreply table i need to 'create' one attribute like:

Check-Bandwidth := [0,1]

i added this attribute in groupreply, in my dictionary file and i can 
see this attribute in the 'authorization' section.


How i can pass it to 'accouting' section ? maybe setting global variable 
for this session ?


the purpose of doing this is to check if value is 1, freeradius need to 
track this user every interim-update, Start and Stop Packet-Type. if 
value is 0, freeradius skip this user from checking.


... this is the 'best' way ? if anyone has a better way.. and can 
share.. i´ll be thankful !!


Regards,

--
Sds.

Alexandre Jeronimo Correa
Sócio-Administrador

Office: +55 34 3351 3077

Onda Internet
www.onda.net.br

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Define New Attribute

2012-12-04 Thread Arran Cudbard-Bell 

On 4 Dec 2012, at 20:50, "Alexandre J. Correa (Onda)"  
wrote:

> Hello,
> 
> I need to track some type of 'user group'. i´m doing this to not overload my 
> database servers.
> 
> into the radgroupreply table i need to 'create' one attribute like:
> 
> Check-Bandwidth := [0,1]
> 
> i added this attribute in groupreply, in my dictionary file and i can see 
> this attribute in the 'authorization' section.
> 
> How i can pass it to 'accouting' section ? maybe setting global variable for 
> this session ?


Call sql.authorize in preacct.

-Arran
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Eduroam & FreeRadius not working so well

2012-12-04 Thread Mike Diggins 


I'm running FreeRadius 2.1.12 on RedHat 6 as an Eduroam proxy server and 
having problems. My cisco wireless controllers are constantly failing back 
and forth between the primary and secondary systems. My logs show these 
errors when it happens:


Dec  4 19:12:18 server radiusd[32588]: Internal sanity check failed for 
child state
Dec  4 19:12:18 server radiusd[32588]: Reply from home server x.x.x.x port 
1812  - ID: 210 arrived too late for request 76479. Try increasing 
'retry_delay' or 'max_request_time'
Dec  4 19:13:18 server radiusd[32588]: Discarding duplicate request from 
client ct5508 port 32770 - ID: 148 due to unfinished request 76495
Dec  4 19:13:26 server radiusd[32588]: Discarding duplicate request from 
client ct5508 port 32770 - ID: 148 due to unfinished request 76495
Dec  4 19:13:34 server radiusd[32588]: Discarding duplicate request from 
client ct5508 port 32770 - ID: 148 due to unfinished request 76495
Dec  4 19:13:41 server radiusd[32588]: Internal sanity check failed for 
child state
Dec  4 19:13:41 server radiusd[32588]: Reply from home server x.x.x.x port 
1812  - ID: 102 arrived too late for request 76495. Try increasing 
'retry_delay' or 'max_request_time'
Dec  4 19:13:42 server radiusd[32588]: Discarding duplicate request from 
client ct5508 port 32770 - ID: 148 due to unfinished request 76495


I'm look for some advice as to what timeouts to adjust that might help 
with the errors. I didn't want to start changing retry_delay or 
max_request_time without some advice first. Any suggestions? I have no 
control over the Home Servers or how long a request takes to complete and 
I don't know what's causing the sanity check failure!?


-Mike


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re: Radius Code set to 2??

2012-12-04 Thread ashok kumar 
My AP is not broken and it is working fine without any issue .


On Tue, Dec 4, 2012 at 6:01 PM, Matthias Nagel
wrote:

> Hello,
> some APs have the option to work as a RADIUS proxy. Perhaps the AP is not
> actually broken, but only wrongly configured.
> Matthias
>
>
> Matthias Nagel
> Willy-Andreas-Allee 1, Zimmer 506
> 76131 Karlsruhe
>
> Telefon: +49-721-8695-1506
> Mobil: +49-151-15998774
> ICQ: 499797758
> Skype: nagmat84
>
> Arran Cudbard-Bell  hat geschrieben:
>
>
> On 4 Dec 2012, at 10:14, ashok kumar  wrote:
>
> > Hey folks,
> >
> > I have and AP from which I get a RADIUS message with code field set to
> 2. It was received from on port 1812.
> >
> > Can anybody tell me the significance of this problem because when I
> change the APs everything works fine. I need to ascertain whether any
> configuration change is required on AP/ Radius server.
>
> Your AP is broken. It shouldn't be sending Access-Accepts to the RADIUS
> server...
>
> -Arran
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re: Radius Code set to 2??

2012-12-04 Thread ashok kumar 
Can any one explain what are the reasons that why the AP is showing this
messages


On Wed, Dec 5, 2012 at 11:59 AM, ashok kumar wrote:

> My AP is not broken and it is working fine without any issue .
>
>
>
> On Tue, Dec 4, 2012 at 6:01 PM, Matthias Nagel  > wrote:
>
>> Hello,
>> some APs have the option to work as a RADIUS proxy. Perhaps the AP is not
>> actually broken, but only wrongly configured.
>> Matthias
>>
>>
>> Matthias Nagel
>> Willy-Andreas-Allee 1, Zimmer 506
>> 76131 Karlsruhe
>>
>> Telefon: +49-721-8695-1506
>> Mobil: +49-151-15998774
>> ICQ: 499797758
>> Skype: nagmat84
>>
>> Arran Cudbard-Bell  hat geschrieben:
>>
>>
>> On 4 Dec 2012, at 10:14, ashok kumar  wrote:
>>
>> > Hey folks,
>> >
>> > I have and AP from which I get a RADIUS message with code field set to
>> 2. It was received from on port 1812.
>> >
>> > Can anybody tell me the significance of this problem because when I
>> change the APs everything works fine. I need to ascertain whether any
>> configuration change is required on AP/ Radius server.
>>
>> Your AP is broken. It shouldn't be sending Access-Accepts to the RADIUS
>> server...
>>
>> -Arran
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

AW: AW: AW: EAP-TLS Failed in handler question

2012-12-04 Thread PENZ Robert 

> > There is no other packet between this two and only 5 seconds, server has
> > not been restarted.
> Weird.
> But we need the *full* debug please!

some special option or the full log file? The second I send you in a private 
mail.

Robert
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re: Radius Code set to 2??

2012-12-04 Thread Fajar A. Nugraha 
On Wed, Dec 5, 2012 at 1:32 PM, ashok kumar  wrote:
> Can any one explain what are the reasons that why the AP is showing this
> messages

Well, this is a freeradius list, while your problem is specific to the AP.

Have you tried asking the vendor for support?

Just because this list is usually responsive, it doesn't mean you can
ask 
questions-unrelated-to-the-topic-over-and-over-again-and-magically-got-a-good-answer.

-- 
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Radius Code set to 2??

2012-12-04 Thread Alan Buxey 
You were already given an answer. AP shouldn't be sending a RADIUS 
access-accept to the server. Either a misconfiguration, software bug or 
misreading of the issue

alan

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html