"Mody Sachin (Princeton)" <[EMAIL PROTECTED]> wrote: > I'm trying to use the class attribute in the reply message for a user entry, > which uses eap module as the authentication type. I'm using EAP-MD5 as the > method so the differentiation of the users based on the passwords should > work, though I do not have a user-name collision. I'm only trying to send > the class-attribute as a reply-message as part of the access-accept message.
The 'Class' attribute is a different attribute than 'Reply-Message', I'm not sure why you're confusing them. > The question I have is, do I need to have the 'user-collide' option > in the radius.conf file, turned to 'yes' for doing this or not, > i.e.. with the user-collide option as 'no', can I still use the > class attribute? The Class attribute, like any other RADIUS attribute, is completely unrelated to the user-collide option. > I have tried to use the class attribute with both the user-collide option as > 'yes' and 'no'. In the former case, the authentication stalls and does not > complete, Why? This has nothing to do with the Class attribute, it's a different problem. > while in the later case, when the user-collide is off, the server > sends the class attribute as part of the access-accept message, but > I do not see it in the accounting packets coming from the Cisco NAS > thereafter. Then the NAS is broken. The RFC says that it MUST send the Class attribute in the accounting request. If the NAS is broken, then there's NOTHING you can do to the RADIUS server to fix the NAS. > Would this behavior be because Cisco might not have support for > class attribute or because the eap module doesn't have support for > class attribute. The EAP module has nothing to do with the Class attribute. It doesn't know about Class, and it doesn't care. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
