Hello Oliver,
thank you for your reply.
If Auth-Type is Accept, no EAP negociation occurs. What I want is TTLS established and user credentials checked and also NAS-Identifier value checked. Thai is, block some TTLS users from connecting from behind other NAS than its own.
I get users accepted if TTLS user has only 'User-Password' and '==' in the radcheck. As soon as I add 'NAS-Identifier, '==', 'my_nas', it says Auth-Type not found.
I also tried:
+----+-----------+----------------+----+-----------+
| id | UserName | Attribute | op | Value |
+----+-----------+----------------+----+-----------+
| 33 | eap_user | User-Password | == | xxxx |
| 36 | eap_user | Auth-Type | ~= | EAP|MD5 |
| 35 | eap_user | NAS-Identifier | == | my_nas |
+----+-----------+----------------+----+-----------+
P.S. nas is a cisco and has attribute 32 customized
| id | UserName | Attribute | op | Value |
+----+-----------+----------------+----+-----------+
| 33 | eap_user | User-Password | == | xxxx |
| 36 | eap_user | Auth-Type | ~= | EAP|MD5 |
| 35 | eap_user | NAS-Identifier | == | my_nas |
+----+-----------+----------------+----+-----------+
P.S. nas is a cisco and has attribute 32 customized
Oliver Graf <[EMAIL PROTECTED]> wrote:
On Mon, Oct 11, 2004 at 06:56:01AM -0700, Alex wrote:
> Hello,
>
> I want TTLS users to be authenticated using their login/pwd _AND_ the NAS-Identifier attribute from the Access-Req packet. It works fine with User-Password, but when I add NAS-Identifier == 'my_router' to radcheck table, freeradius says 'Auth-Type notfound'. The debug shows that 'my_router' sends the correct value for this attribute.
> When I change to :=, users can login even if the value is completely changed (i.e. I put his_router instead)
Use AuthType := Accept
Oliver.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Do you Yahoo!?
vote.yahoo.com - Register online to vote today!
