Re: Problem with Cisco-AVPair
Hi, I don't know how can i resolve my problem ... With this user: vlan3 Cisco-AVPair == ssid=VLAN3, User-Password := test Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 3, Tunnel-Type = VLAN I have always the same problem... this is my log: rad_recv: Access-Request packet from host 192.168.9.104:1645, id=29, length=240 User-Name = vlan3 Framed-MTU = 1400 Called-Station-Id = 0012.dacb.8420 Calling-Station-Id = 000c.f135.f1ba Cisco-AVPair = ssid=VLAN3 Service-Type = Login-User Message-Authenticator = 0x9873358109c27321d39f54fcaa44b983 EAP-Message = 0x0208005019001703010020abbfc50d6f7a13a8226e008a01441a4e94f2565c4eec010d12551692bfc9eea11703010020ea39080c7e56fafd97e7cb195e21a02a445b5632d50a356d96bf10a3082d53e2 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = 263 NAS-Port = 263 State = 0x1846e133758faf753fefeedfd54cc831 NAS-IP-Address = 192.168.9.104 NAS-Identifier = ap Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module preprocess returns ok for request 7 modcall[authorize]: module mschap returns noop for request 7 rlm_realm: No '@' in User-Name = vlan3, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 7 rlm_eap: EAP packet type response id 8 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 7 users: Matched entry vlan3 at line 24 modcall[authorize]: module files returns ok for request 7 modcall: leaving group authorize (returns updated) for request 7 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure. User was rejcted rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid for request 7 modcall: leaving group authenticate (returns invalid) for request 7 auth: Failed to validate the user. Login incorrect: [vlan3/no User-Password attribute] (from client ap-test port 263 cli 000c.f135.f1ba) Delaying request 7 for 1 seconds Finished request 7 Going to the next request It is possibile that my problem is this? rlm_eap_peap: Had sent TLV failure. User was rejcted rejected earlier in this session. I tried a lot of thing but I can't find a solution for my problem... Thanks, bye Antonio on 15/04/2006 20.03 Alan DeKok said the following: Bertrand Poulet [EMAIL PROTECTED] wrote: at line 66 of users files , i've got : bertrandCisco-AVPair == ssid=my_ssid, User-Password == bertrand Use := for User-Password. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Antonio Matera wrote: It is possibile that my problem is this? rlm_eap_peap: Had sent TLV failure. User was rejcted rejected earlier in this session. Yes. So read (or send to the list for others to help you with) the FULL debug output, not just the last packet. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Hello all, i've followed the thread about SSID and user authentication and i'm wondering how FR check the Cisco-AVPair ? when i write Cisco-AVPair == ... in users file, the ms-chapv2 step reject authentication (if i unterstand output below) but if i write Cisco-AVPair := ... in users file, the ms-chapv2 step accept authentication. i read some FR docs , and Cisco-AVPair == .. is a comparison , and with := it's an affectation ? why the change of this attribute in users file makes that MS-CHAPv2 check failed ? tahnks for your help ? Bertrand. this is part of radiusd -X -A output, full output is at the bottom, as users file : modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 6 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for bertrand with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module mschap returns reject for request 6 at line 66 of users files , i've got : bertrandCisco-AVPair == ssid=my_ssid, User-Password == bertrand USERS FILE : # #Please read the documentation file ../doc/processing_users_file, #or 'man 5 users' (after installing the server) for more information. # #This file contains authentication security and configuration #information for each user. Accounting requests are NOT processed #through this file. Instead, see 'acct_users', in this directory. # #The first field is the user's name and can be up to #253 characters in length. This is followed (on the same line) with #the list of authentication requirements for that user. This can #include password, comm server name, comm server port number, protocol #type (perhaps set by the hints file), and huntgroup name (set by #the huntgroups file). # #If you are not sure why a particular reply is being sent by the #server, then run the server in debugging mode (radiusd -X), and #you will see which entries in this file are matched. # #When an authentication request is received from the comm server, #these values are tested. Only the first match is used unless the #Fall-Through variable is set to Yes. # #A special user named DEFAULT matches on all usernames. #You can have several DEFAULT entries. All entries are processed #in the order they appear in this file. The first entry that #matches the login-request will stop processing unless you use #the Fall-Through variable. # #If you use the database support to turn this file into a .db or .dbm #file, the DEFAULT entries _have_ to be at the end of this file and #you can't have multiple entries for one username. # #You don't need to specify a password if you set Auth-Type += System #on the list of authentication requirements. The RADIUS server #will then check the system password file. # #Indented (with the tab character) lines following the first #line indicate the configuration values to be passed back to #the comm server to allow the initiation of a user session. #This can include things like the PPP configuration values #or the host to log the user onto. # #You can include another `users' file with `$INCLUDE users.other' # # #For a list of RADIUS attributes, and links to their definitions, #see: # #http://www.freeradius.org/rfc/attributes.html # # # Deny access for a specific user. Note that this entry MUST # be before any other 'Auth-Type' attribute which results in the user # being authenticated. # # Note that there is NO 'Fall-Through' attribute, so the user will not # be given any additional resources. # #lameuserAuth-Type := Reject #Reply-Message = Your account has been disabled. # bertrandCisco-AVPair == ssid=my_ssid, User-Password == bertrand # # # Deny access for a group of users. # # Note that there is NO 'Fall-Through' attribute, so the user will not # be given any additional resources. # #DEFAULTGroup == disabled, Auth-Type := Reject #Reply-Message = Your account has been disabled. # # # This is a complete entry for steve. Note that there is no Fall-Through # entry so that no DEFAULT entry will be used, and the user will NOT # get any attributes in addition to the ones listed here. # #steveAuth-Type := Local, User-Password == testing #Service-Type = Framed-User, #Framed-Protocol = PPP, #Framed-IP-Address = 172.16.3.33, #Framed-IP-Netmask = 255.255.255.0, #Framed-Routing = Broadcast-Listen, #Framed-Filter-Id = std.ppp, #Framed-MTU = 1500, #Framed-Compression = Van-Jacobsen-TCP-IP # # This is an entry for a user
Re: Problem with Cisco-AVPair
Bertrand Poulet [EMAIL PROTECTED] wrote: at line 66 of users files , i've got : bertrandCisco-AVPair == ssid=my_ssid, User-Password == bertrand Use := for User-Password. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Looks like a bouncing absence noticeonce more... Listadmins please do something before we get 100s of bounces again... greets Sebastian Dag Bodin wrote: Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 I’m out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Hallo, sorry I had a bad configuration of my email client. I re-write my problem: I want to authenticate my users with different SSID on different VLAN. My objective is to authenticate an user only on a select SSID. With the wrong SSID the user shouldn't connect... I use PEAP-MS-CHAPv2 and the user is set as following: vlan3 Cisco-AVPair == ssid=VLAN3, User-Password == test Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 3, Tunnel-Type = VLAN If I insert the check == in the Cisco-AVPair attribute, I have this log: rad_recv: Access-Request packet from host 192.168.9.104:1645, id=21, length=240 User-Name = vlan3 Framed-MTU = 1400 Called-Station-Id = 0012.dacb.8420 Calling-Station-Id = 000c.f135.f1ba Cisco-AVPair = ssid=VLAN3 Service-Type = Login-User Message-Authenticator = 0x57cbe83313e35c36a3878a5151361c44 EAP-Message = 0x020900501900170301002029a86e41268c925e584b0924c058e045487523e0b2181541f520fe517e5fa67c1703010020ebe4e512af90e916f41fc666e138157bd279a6ed7f1ab44243f67e72d18ce012 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = 260 NAS-Port = 260 State = 0xbb09e1038e24af4dc9f4002adb7d6b0a NAS-IP-Address = 192.168.9.104 NAS-Identifier = ap Processing the authorize section of radiusd.conf modcall: entering group authorize for request 8 modcall[authorize]: module preprocess returns ok for request 8 modcall[authorize]: module mschap returns noop for request 8 rlm_realm: No '@' in User-Name = vlan3, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 8 rlm_eap: EAP packet type response id 9 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 8 users: Matched entry vlan3 at line 24 modcall[authorize]: module files returns ok for request 8 modcall: leaving group authorize (returns updated) for request 8 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure. User was rejcted rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid for request 8 modcall: leaving group authenticate (returns invalid) for request 8 auth: Failed to validate the user. Login incorrect: [vlan3/no User-Password attribute] (from client ap-test port 260 cli 000c.f135.f1ba) Delaying request 8 for 1 seconds Finished request 8 The radius don't authenticate my user, but the SSID is correct! If I insert the check := in the Cisco-AVPair attribute, my user is authenticate on all my SSID I missed something in my configuration? Thanks a lot for your support... Antonio on 06/04/2006 23.05 Kevin Bonner said the following: On Thursday 06 April 2006 08:24, Antonio Matera wrote: !DOCTYPE html PUBLIC -//W3C//DTD HTML 4.01 Transitional//EN Please stop using HTML when posting your messages. You just might get a few more useful responses from people who don't bother to read html-only messages. Kevin Bonner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Hi I think you have to try in this way (for example): TEST4 Cisco-AVPair == ssid=SSID1 , Auth-Type := EAP Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 2, Tunnel-Type = VLAN DEFAULT Auth-Type := Reject if uou want a password: TEST4 Cisco-AVPair == ssid=SSID1 ,User-Password=, Auth-Type := EAP Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 2, Tunnel-Type = VLAN DEFAULT Auth-Type := Reject Regards sergio Antonio Matera wrote: My goal is to have authenticate user only if the SSID is right! You know how can I do it? Thanks Antonio on 05/04/2006 17.33 Sergio Sagliocco said the following: Hello your goal is authenticate users only if the SSID is rght or to have different EAP Authentication method based on SSID? regards sergio Antonio Matera wrote: Hallo, thanks for the answer. With your solution my radius don't authenticate my users Is my configuration correct or I need other change in my radius files? Thanks bye on 05/04/2006 15.27 Sergio Sagliocco said the following: Hi I think you have to use == instead of := For example: DEFAULT Cisco-AVPair == ssid=testLEAP , EAP-Type := Cisco-LEAP Regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Sergio SAGLIOCCO SecureLAB - http://www.securelab.it CSP s.c. a r.l. - http://www.csp.it __ Villa Gualino Viale Settimo Severo, 63 - 10133 Torino [IT] tel. +39 011 481 5140 - Mobile +39 348 6024078 fax +39 011 481 5001 __ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Hallo, If I set Cisco-AVPair == "ssid=SSID1" in my user authentication, the authentication Fail with any ssid and user. If I set Cisco-AVPair := "ssid=SSID1" my users are always authenticated. Is there any other configuration to set in the radius or in the access point? In my access request there is the AVPair attribute: rad_recv: Access-Request packet from host 192.168.9.104:1645, id=19, length=166 User-Name = "TEST4" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=VLAN3" Service-Type = Login-User Message-Authenticator = 0xb2a3f1fd52d9d6ff9702cc8f1f480f46 EAP-Message = 0x020600060d00 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "260" NAS-Port = 260 State = 0x0491685cf8ece3184d685dedfedbb3d4 NAS-IP-Address = 192.168.9.104 NAS-Identifier = "ap" but I don't understand if it works... Any idea? Thanks on 06/04/2006 11.39 Sergio Sagliocco said the following: Hi I think you have to try in this way (for example): TEST4 Cisco-AVPair == "ssid=SSID1" , Auth-Type := EAP Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 2, Tunnel-Type = VLAN DEFAULT Auth-Type := Reject if uou want a password: TEST4 Cisco-AVPair == "ssid=SSID1" ,User-Password="", Auth-Type := EAP Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 2, Tunnel-Type = VLAN DEFAULT Auth-Type := Reject Regards sergio Antonio Matera wrote: My goal is to have authenticate user only if the SSID is right! You know how can I do it? Thanks Antonio on 05/04/2006 17.33 Sergio Sagliocco said the following: Hello your goal is authenticate users only if the SSID is rght or to have different EAP Authentication method based on SSID? regards sergio Antonio Matera wrote: Hallo, thanks for the answer. With your solution my radius don't authenticate my users Is my configuration correct or I need other change in my radius files? Thanks bye on 05/04/2006 15.27 Sergio Sagliocco said the following: Hi I think you have to use == instead of := For example: DEFAULT Cisco-AVPair == "ssid=testLEAP" , EAP-Type := Cisco-LEAP Regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- Antonio Matera CREATE-NET Via Solteri, 38 - 38100 Trento e-mail: [EMAIL PROTECTED] phone: +39 0461 408400 ext. 305 fax: +39 0461 421157 www.create-net.org -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
I don't think you should be setting the Auth-Type. Just let FreeRADIUS work that out. What are you doing with your Cisco AP? Are you doing PEAP/MS-CHAPv2? If so, then you must have a User-Password == foo in your user database and you *must not* set Auth-Type := EAP. You should do as Sergio says and use == in your Cisco-AVPair check item. This is a comparison. Rgds, Guy On 06/04/06, Antonio Matera [EMAIL PROTECTED] wrote: Hallo, If I set Cisco-AVPair == ssid=SSID1 in my user authentication, the authentication Fail with any ssid and user. If I set Cisco-AVPair := ssid=SSID1 my users are always authenticated. Is there any other configuration to set in the radius or in the access point? In my access request there is the AVPair attribute: rad_recv: Access-Request packet from host 192.168.9.104:1645, id=19, length=166 User-Name = TEST4 Framed-MTU = 1400 Called-Station-Id = 0012.dacb.8420 Calling-Station-Id = 000c.f135.f1ba Cisco-AVPair = ssid=VLAN3 Service-Type = Login-User Message-Authenticator = 0xb2a3f1fd52d9d6ff9702cc8f1f480f46 EAP-Message = 0x020600060d00 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = 260 NAS-Port = 260 State = 0x0491685cf8ece3184d685dedfedbb3d4 NAS-IP-Address = 192.168.9.104 NAS-Identifier = ap but I don't understand if it works... Any idea? Thanks on 06/04/2006 11.39 Sergio Sagliocco said the following: Hi I think you have to try in this way (for example): TEST4 Cisco-AVPair == ssid=SSID1 , Auth-Type := EAP Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 2, Tunnel-Type = VLAN DEFAULT Auth-Type := Reject if uou want a password: TEST4 Cisco-AVPair == ssid=SSID1 ,User-Password=, Auth-Type := EAP Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 2, Tunnel-Type = VLAN DEFAULT Auth-Type := Reject Regards sergio Antonio Matera wrote: My goal is to have authenticate user only if the SSID is right! You know how can I do it? Thanks Antonio on 05/04/2006 17.33 Sergio Sagliocco said the following: Hello your goal is authenticate users only if the SSID is rght or to have different EAP Authentication method based on SSID? regards sergio Antonio Matera wrote: Hallo, thanks for the answer. With your solution my radius don't authenticate my users Is my configuration correct or I need other change in my radius files? Thanks bye on 05/04/2006 15.27 Sergio Sagliocco said the following: Hi I think you have to use == instead of := For example: DEFAULT Cisco-AVPair == ssid=testLEAP , EAP-Type := Cisco-LEAP Regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- Antonio Matera CREATE-NET Via Solteri, 38 - 38100 Trento e-mail: [EMAIL PROTECTED] phone: +39 0461 408400 ext. 305 fax: +39 0461 421157 www.create-net.org -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Hallo, I tried with EAP-TLS and PEAP/MS-CHAPv2. With the last, I have this user: vlan3 Cisco-AVPair == "ssid=VLAN3", User-Password == "test" Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 3, Tunnel-Type = VLAN If I insert the check == in the Cisco-AVPair attribute, I have this log: rad_recv: Access-Request packet from host 192.168.9.104:1645, id=21, length=240 User-Name = "vlan3" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=VLAN3" Service-Type = Login-User Message-Authenticator = 0x57cbe83313e35c36a3878a5151361c44 EAP-Message = 0x020900501900170301002029a86e41268c925e584b0924c058e045487523e0b2181541f520fe517e5fa67c1703010020ebe4e512af90e916f41fc666e138157bd279a6ed7f1ab44243f67e72d18ce012 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "260" NAS-Port = 260 State = 0xbb09e1038e24af4dc9f4002adb7d6b0a NAS-IP-Address = 192.168.9.104 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 8 modcall[authorize]: module "preprocess" returns ok for request 8 modcall[authorize]: module "mschap" returns noop for request 8 rlm_realm: No '@' in User-Name = "vlan3", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 8 rlm_eap: EAP packet type response id 9 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 8 users: Matched entry vlan3 at line 24 modcall[authorize]: module "files" returns ok for request 8 modcall: leaving group authorize (returns updated) for request 8 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure. User was rejcted rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 8 modcall: leaving group authenticate (returns invalid) for request 8 auth: Failed to validate the user. Login incorrect: [vlan3/no User-Password attribute] (from client ap-test port 260 cli 000c.f135.f1ba) Delaying request 8 for 1 seconds Finished request 8 The radius don't authenticate my user, but the SSID is correct! I don't understand what is wrong. Thanks a lot for your support... Antonio on 06/04/2006 14.59 Guy Davies said the following: I don't think you should be setting the Auth-Type. Just let FreeRADIUS work that out. What are you doing with your Cisco AP? Are you doing PEAP/MS-CHAPv2? If so, then you must have a User-Password == "foo" in your user database and you *must not* set Auth-Type := EAP. You should do as Sergio says and use == in your Cisco-AVPair check item. This is a comparison. Rgds, Guy On 06/04/06, Antonio Matera [EMAIL PROTECTED] wrote: Hallo, If I set Cisco-AVPair == "ssid=SSID1" in my user authentication, the authentication Fail with any ssid and user. If I set Cisco-AVPair := "ssid=SSID1" my users are always authenticated. Is there any other configuration to set in the radius or in the access point? In my access request there is the AVPair attribute: rad_recv: Access-Request packet from host 192.168.9.104:1645, id=19, length=166 User-Name = "TEST4" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=VLAN3" Service-Type = Login-User Message-Authenticator = 0xb2a3f1fd52d9d6ff9702cc8f1f480f46 EAP-Message = 0x020600060d00 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "260" NAS-Port = 260 State = 0x0491685cf8ece3184d685dedfedbb3d4 NAS-IP-Address = 192.168.9.104 NAS-Identifier = "ap" but I don't understand if it works... Any idea? Thanks on 06/04/2006 11.39 Sergio Sagliocco said the following: Hi I think you have to try in this way (for example): TEST4 Cisco-AVPair == "ssid=SSID1" , Auth-Type := EAP Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 2, Tunnel-Type = VLAN DEFAULT Auth-Type := Reject if uou want a password: TEST4 Cisco-AVPair == "ssid=SSID1" ,User-Password="", Auth-Type := EAP Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 2, Tunnel-Type = VLAN DEFAULT Auth-Type := Reject Regards sergio Antonio Matera wrote: My goal is to have authenticate user only if the SSID is
Re: Problem with Cisco-AVPair
On Thursday 06 April 2006 08:24, Antonio Matera wrote: !DOCTYPE html PUBLIC -//W3C//DTD HTML 4.01 Transitional//EN Please stop using HTML when posting your messages. You just might get a few more useful responses from people who don't bother to read html-only messages. Kevin Bonner pgpIqhmYWA5QQ.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with Cisco-AVPair
Hi all, I have a problem with the user authentication with EAP TLS or PEAP on different SSID and VLAN. My objective is to authenticate one user only on a select SSID. At the moment I have this user with EAP-TLS, but if I use PEAP and I insert a user password, the problem is the same: TEST4 Auth-Type := EAP, Cisco-AVPair := ssid=SSID1 Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 2, Tunnel-Type = VLAN user2Auth-Type := EAP, Cisco-AVPair := ssid=VLAN3 Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 3, Tunnel-Type = VLAN and the log is the following: rad_recv: Access-Request packet from host 192.168.9.104:1645, id=19, length=166 User-Name = TEST4 Framed-MTU = 1400 Called-Station-Id = 0012.dacb.8420 Calling-Station-Id = 000c.f135.f1ba Cisco-AVPair = ssid=VLAN3 Service-Type = Login-User Message-Authenticator = 0xb2a3f1fd52d9d6ff9702cc8f1f480f46 EAP-Message = 0x020600060d00 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = 260 NAS-Port = 260 State = 0x0491685cf8ece3184d685dedfedbb3d4 NAS-IP-Address = 192.168.9.104 NAS-Identifier = ap Processing the authorize section of radiusd.conf modcall: entering group authorize for request 18 modcall[authorize]: module preprocess returns ok for request 18 modcall[authorize]: module mschap returns noop for request 18 rlm_realm: No '@' in User-Name = TEST4, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 18 rlm_eap: EAP packet type response id 6 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 18 users: Matched entry TEST4 at line 11 modcall[authorize]: module files returns ok for request 18 modcall: leaving group authorize (returns updated) for request 18 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 18 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap: Freeing handler modcall[authenticate]: module eap returns ok for request 18 modcall: leaving group authenticate (returns ok) for request 18 Login OK: [TEST4/no User-Password attribute] (from client ap-test port 260 cli 000c.f135.f1ba) Sending Access-Accept of id 19 to 192.168.9.104 port 1645 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 2 Tunnel-Type:0 = VLAN MS-MPPE-Recv-Key = 0x9cb007ac1a5c0cc6da1deaf25177ef52e7f8c195d876f95b2d18ac6106b497da MS-MPPE-Send-Key = 0x5cbd4de84c364538ec07001adad683cbbf80a349d0299d4790f4f16389aff161 EAP-Message = 0x03060004 Message-Authenticator = 0x User-Name = TEST4 Finished request 18 The user TEST4 is authenticated with the bad SSID. the check Cisco-AVPair := ssid=SSID1 does't work. What is wrong? I read a lot of mail on this mailing list, I tried the option with_cisco_hack = yes in the radiusd.conf file but but the problem is always the same. I don't understand what is the problem... Can someone help me? Thanks a lot to all Bye Antonio - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Hi I think you have to use == instead of := For example: DEFAULT Cisco-AVPair == ssid=testLEAP , EAP-Type := Cisco-LEAP Regards -- Sergio SAGLIOCCO SecureLAB - http://www.securelab.it CSP s.c. a r.l. - http://www.csp.it __ Villa Gualino Viale Settimo Severo, 63 - 10133 Torino [IT] tel. +39 011 481 5140 - Mobile +39 348 6024078 fax +39 011 481 5001 __ Antonio Matera wrote: Hi all, I have a problem with the user authentication with EAP TLS or PEAP on different SSID and VLAN. My objective is to authenticate one user only on a select SSID. At the moment I have this user with EAP-TLS, but if I use PEAP and I insert a user password, the problem is the same: TEST4 Auth-Type := EAP, Cisco-AVPair := ssid=SSID1 Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 2, Tunnel-Type = VLAN user2Auth-Type := EAP, Cisco-AVPair := ssid=VLAN3 Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 3, Tunnel-Type = VLAN and the log is the following: rad_recv: Access-Request packet from host 192.168.9.104:1645, id=19, length=166 User-Name = TEST4 Framed-MTU = 1400 Called-Station-Id = 0012.dacb.8420 Calling-Station-Id = 000c.f135.f1ba Cisco-AVPair = ssid=VLAN3 Service-Type = Login-User Message-Authenticator = 0xb2a3f1fd52d9d6ff9702cc8f1f480f46 EAP-Message = 0x020600060d00 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = 260 NAS-Port = 260 State = 0x0491685cf8ece3184d685dedfedbb3d4 NAS-IP-Address = 192.168.9.104 NAS-Identifier = ap Processing the authorize section of radiusd.conf modcall: entering group authorize for request 18 modcall[authorize]: module preprocess returns ok for request 18 modcall[authorize]: module mschap returns noop for request 18 rlm_realm: No '@' in User-Name = TEST4, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 18 rlm_eap: EAP packet type response id 6 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 18 users: Matched entry TEST4 at line 11 modcall[authorize]: module files returns ok for request 18 modcall: leaving group authorize (returns updated) for request 18 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 18 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap: Freeing handler modcall[authenticate]: module eap returns ok for request 18 modcall: leaving group authenticate (returns ok) for request 18 Login OK: [TEST4/no User-Password attribute] (from client ap-test port 260 cli 000c.f135.f1ba) Sending Access-Accept of id 19 to 192.168.9.104 port 1645 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 2 Tunnel-Type:0 = VLAN MS-MPPE-Recv-Key = 0x9cb007ac1a5c0cc6da1deaf25177ef52e7f8c195d876f95b2d18ac6106b497da MS-MPPE-Send-Key = 0x5cbd4de84c364538ec07001adad683cbbf80a349d0299d4790f4f16389aff161 EAP-Message = 0x03060004 Message-Authenticator = 0x User-Name = TEST4 Finished request 18 The user TEST4 is authenticated with the bad SSID. the check Cisco-AVPair := ssid=SSID1 does't work. What is wrong? I read a lot of mail on this mailing list, I tried the option with_cisco_hack = yes in the radiusd.conf file but but the problem is always the same. I don't understand what is the problem... Can someone help me? Thanks a lot to all Bye Antonio - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Hallo, thanks for the answer. With your solution my radius don't authenticate my users Is my configuration correct or I need other change in my radius files? Thanks bye on 05/04/2006 15.27 Sergio Sagliocco said the following: Hi I think you have to use == instead of := For example: DEFAULT Cisco-AVPair == ssid=testLEAP , EAP-Type := Cisco-LEAP Regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Hello your goal is authenticate users only if the SSID is rght or to have different EAP Authentication method based on SSID? regards sergio Antonio Matera wrote: Hallo, thanks for the answer. With your solution my radius don't authenticate my users Is my configuration correct or I need other change in my radius files? Thanks bye on 05/04/2006 15.27 Sergio Sagliocco said the following: Hi I think you have to use == instead of := For example: DEFAULT Cisco-AVPair == ssid=testLEAP , EAP-Type := Cisco-LEAP Regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Sergio SAGLIOCCO SecureLAB - http://www.securelab.it CSP s.c. a r.l. - http://www.csp.it __ Villa Gualino Viale Settimo Severo, 63 - 10133 Torino [IT] tel. +39 011 481 5140 - Mobile +39 348 6024078 fax +39 011 481 5001 __ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
My goal is to have authenticate user only if the SSID is right! You know how can I do it? Thanks Antonio on 05/04/2006 17.33 Sergio Sagliocco said the following: Hello your goal is authenticate users only if the SSID is rght or to have different EAP Authentication method based on SSID? regards sergio Antonio Matera wrote: Hallo, thanks for the answer. With your solution my radius don't authenticate my users Is my configuration correct or I need other change in my radius files? Thanks bye on 05/04/2006 15.27 Sergio Sagliocco said the following: Hi I think you have to use == instead of := For example: DEFAULT Cisco-AVPair == "ssid=testLEAP" , EAP-Type := Cisco-LEAP Regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html