On 09/12/2011 05:34 PM, Jethro R Binks wrote: Hello Jethro,
> My observation is that Radiator adds the attributes to all the packets, > including the Access-Challenge packets. I would vaguely have thought that > they only matter on the Access-Accept final reply, however I am beginning > to suspect that some of my APs do care and don't work properly if the > attribute appears in the Access-Challenge responses (in discussion with > vendor about that one). If you find out if there's a problem with the AP behaviour, please let the list know. So far I have not heard about attributes in Access-Challenges causing problems. > Does anyone have a view on what correct behaviour should be, whether it > matters, or if this is know to cause an issue with some hardware? Closest discussion I know of the topic is this: http://tools.ietf.org/html/rfc5080#section-2.5 But even this does not discuss Access-Challenge. It does hint for caution, but in case of VLAN assignment, I would say the client should just ignore the attributes until the Access-Accept. > Is there a way to ensure that the attributes are only added to the final > reply, in case it does actually matter in some environments? You can move the AddToReply into inner AuthBy. The attributes will be copied to outgoing Access-Accept but not to challenges. If that is not possible, you could use a PostAuthHook that checks the result and only does add_attr() if the result was ACCEPT. See the reference manual for more about PostAuthHook parameters and goodies/hooks.txt for PostAuthHook examples. Thanks! Heikki -- Heikki Vatiainen <[email protected]> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
