Hi Antonio, If you're using the Cisco-AVPair as a check item, it *must* be on the first line of the user entry. e.g.
user1 Auth-Type := EAP, Cisco-AVPair := "ssid=SSID1" ... reply items here, one per line... If you want to configure it as a reply item, it should be... Cisco-AVPair = "ssid=SSID1" NOTE: =, not := for the reply item. Rgds, Guy On 29/03/06, Antonio Matera <[EMAIL PROTECTED]> wrote: > Hallo, > now I have the users configured as follow: > > user1 Auth-Type := EAP > Cisco-AVPair := "ssid=SSID1", > Tunnel-Medium-Type = IEEE-802, > Tunnel-Private-Group-Id = 2, > Tunnel-Type = VLAN > > user2 Auth-Type := EAP > Cisco-AVPair := "ssid=SSID2", > Tunnel-Medium-Type = IEEE-802, > Tunnel-Private-Group-Id = 3, > Tunnel-Type = VLAN > > > The AP has the radius-server vsa send authentication, but when I connect > for example to the SSID2 using user1, radius write this log for a big > number of request: > > > rad_recv: Access-Request packet from host 192.168.9.104:1645, id=167, > length=137 > User-Name = "user1" > Framed-MTU = 1400 > Called-Station-Id = "xxxx.xxxx.xxxx" > Calling-Station-Id = "xxxx.xxxx.xxxx" > Service-Type = Login-User > Message-Authenticator = 0xd58071e7b7c3b158323ae6e2da5cf746 > EAP-Message = 0x020600060d00 > NAS-Port-Type = Wireless-802.11 > NAS-Port = 1215 > State = 0x15f928ed12d8d4d1a278530b6dd26c21 > NAS-IP-Address = 192.168.9.104 > NAS-Identifier = "ap" > Processing the authorize section of radiusd.conf > modcall: entering group authorize for request 53 > modcall[authorize]: module "preprocess" returns ok for request 53 > modcall[authorize]: module "mschap" returns noop for request 53 > rlm_realm: No '@' in User-Name = "user1", looking up realm NULL > rlm_realm: No such realm "NULL" > modcall[authorize]: module "suffix" returns noop for request 53 > rlm_eap: EAP packet type response id 6 length 6 > rlm_eap: No EAP Start, assuming it's an on-going EAP conversation > modcall[authorize]: module "eap" returns updated for request 53 > users: Matched entry user1 at line 14 > modcall[authorize]: module "files" returns ok for request 53 > modcall: leaving group authorize (returns updated) for request 53 > rad_check_password: Found Auth-Type EAP > auth: type "EAP" > Processing the authenticate section of radiusd.conf > modcall: entering group authenticate for request 53 > rlm_eap: Request found, released from the list > rlm_eap: EAP/tls > rlm_eap: processing type tls > rlm_eap_tls: Authenticate > rlm_eap_tls: processing TLS > rlm_eap_tls: Received EAP-TLS ACK message > rlm_eap_tls: ack handshake is finished > eaptls_verify returned 3 > eaptls_process returned 3 > rlm_eap: Freeing handler > modcall[authenticate]: module "eap" returns ok for request 53 > modcall: leaving group authenticate (returns ok) for request 53 > Login OK: [user1/<no User-Password attribute>] (from client ap-test port > 1215 cli 000c.f135.f1ba) > Sending Access-Accept of id 167 to 192.168.9.104 port 1645 > Cisco-AVPair := "ssid=SSID1" > Tunnel-Medium-Type:0 = IEEE-802 > Tunnel-Private-Group-Id:0 = "2" > Tunnel-Type:0 = VLAN > MS-MPPE-Recv-Key = > 0x4b79e8c8d51a317ecfc389ae1109e9cbf4fed548b081a3d9a207cb1673fb2011 > MS-MPPE-Send-Key = > 0x00c78f66a7706dbc37c2ef3a9cf1f4f183b28d840da50d583ae780041fe1f1d9 > EAP-Message = 0x03060004 > Message-Authenticator = 0x00000000000000000000000000000000 > User-Name = "user1" > Finished request 53 > > > > The XP client tell that the SSID2 is connected, but if I try to navigate > on the VLAN1 or VLAN2 i can't do it. > > Why the radius receive a big number of request from the client and it > doesn't sent a failed authorization? It is possible to eliminate the > requests after the first? > It is possible to send to the XP client a failed authorization? At the > moment the client doesn't understand if it is or isn't connected to the > SSID. > > > > Thanks a lot for your time > Bye Antonio > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
