Re: MSCHAP issue - [mschap] FAILED: MS-CHAP2-Response is incorrect
jon michaels wrote: I am attempting to replicate a test setup into production and somewhere along the way I must have forgotten something. I have an NT-Password stored in a mysql database and currently get the following response from freeradius upon authenticating: Well... if the server says the response is incorrect, it's likely to be incorrect. Try using radtest from 2.1.10. It can generate MS-CHAP requests. If those also have response incorrect, then there's something very weird. Also, try putting a test user into the users file. i.e. try narrowing down the possibilities of what the problem is. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with Alcatel 4604 and Cisco ACS
Hello, I'm in trouble trying to authenticate a client connecting to an Alcatel 4604 (Aruba device) to a Cisco ACS, because my alcatel send as Called-Station-Id value its mac-address. On the Cisco side, this value correspond to the SSID value, while this attribute on Alcatel is send via Aruba-Essid-Name (attribute 5 in dictionary.aruba). Is there a way to change this behavior or a remap of this attribute for Alcatel? Thanks. Matteo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Alcatel 4604 and Cisco ACS
On 2010/10/07 10:01 AM, matteo wrote: Hello, I'm in trouble trying to authenticate a client connecting to an Alcatel 4604 (Aruba device) to a Cisco ACS, because my alcatel send as Called-Station-Id value its mac-address. On the Cisco side, this value correspond to the SSID value, while this attribute on Alcatel is send via Aruba-Essid-Name (attribute 5 in dictionary.aruba). Is there a way to change this behavior or a remap of this attribute for Alcatel? Where is Freeradius involved? -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Alcatel 4604 and Cisco ACS
On 10/07/2010 10:11 AM, Johan Meiring wrote: On 2010/10/07 10:01 AM, matteo wrote: Hello, I'm in trouble trying to authenticate a client connecting to an Alcatel 4604 (Aruba device) to a Cisco ACS, because my alcatel send as Called-Station-Id value its mac-address. On the Cisco side, this value correspond to the SSID value, while this attribute on Alcatel is send via Aruba-Essid-Name (attribute 5 in dictionary.aruba). Is there a way to change this behavior or a remap of this attribute for Alcatel? Where is Freeradius involved? Sorry, yes, there's a freeradius 2.1.x proxying requests for the realm managed by that ACS Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Alcatel 4604 and Cisco ACS
On 10/07/2010 10:11 AM, Johan Meiring wrote: On 2010/10/07 10:01 AM, matteo wrote: Hello, I'm in trouble trying to authenticate a client connecting to an Alcatel 4604 (Aruba device) to a Cisco ACS, because my alcatel send as Called-Station-Id value its mac-address. On the Cisco side, this value correspond to the SSID value, while this attribute on Alcatel is send via Aruba-Essid-Name (attribute 5 in dictionary.aruba). Is there a way to change this behavior or a remap of this attribute for Alcatel? Where is Freeradius involved? My freeradius 2.1.x is proxying requests for a realm managed by the ACS Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to get vendor specific attribute value
Hello, I want to retrieve the value of the vsa attribute from the Access-accept response of free radius (I use tiny radius client). I tried to add attribute in the users file like this: testing Cleartext-Password := t...@titi ROLE = user But I found unknown attribute sent in the ethereal trace even though I defined it in a customer dictionary. i need your help - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to get vendor specific attribute value
Noura Kossentini wrote: Hello, I want to retrieve the value of the vsa attribute from the Access-accept response of free radius (I use tiny radius client). Ask them how to use their API. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: WiMax VSA Support
I don't have access to an Alvarion ASN-GW so I can't specifically test this all. Looking back over the service assignment again I see I didn't grab everything. I did grab the QOS descriptors, but missed the packet flow descriptor. This is the corrected full sample service that provisions services of 2Mbps/512kbps. WiMAX-QoS-Id:= 101 WiMAX-Service-Class-Name:= DATA WiMAX-Schedule-Type := Best-Effort WiMAX-Traffic-Priority := 1 WiMAX-Maximum-Sustained-Traffic-Rate:= 512000 WiMAX-Reduced-Resources-Code:= 1 WiMAX-QoS-Id+= 102 WiMAX-Service-Class-Name+= DATA WiMAX-Schedule-Type += Best-Effort WiMAX-Traffic-Priority += 1 WiMAX-Maximum-Sustained-Traffic-Rate+= 2097152 WiMAX-Reduced-Resources-Code+= 1 WiMAX-Packet-Data-Flow-Id := 22 WiMAX-Service-Data-Flow-Id := 22 WiMAX-Direction := Bi-Directional WiMAX-Activation-Trigger:= 15 WiMAX-Transport-Type:= IPv4-CS WiMAX-Uplink-QOS-Id := 101 WiMAX-Downlink-QOS-Id := 102 WiMAX-Uplink-Classifier := permit in any src any dst any priority 1 WiMAX-Downlink-Classifier := permit in any src any dst any priority 1 The root is that you need to read and understand the interdependencies of the QOS descriptor and packet flow descriptor if you want to do this. Seriously. It isn't entirely trivial and there are differences depending on the Schedule Type. Again... check out the WMF stage three docs for whichever version of the WMF the Alvarion ASN-GW currently supports, namely these sections: 5.4.2.28 Packet-Flow Descriptor 5.4.2.29 QoS-Descriptor and Table 5-10 The requirements are outlined there. You can also pre-provision the services on the ASN-GW and simply supply the proper service ID information. e.g. WiMAX-Packet-Data-Flow-Id := 30 WiMAX-Service-Data-Flow-Id := 30 WiMAX-Service-Profile-Id:= 30 WiMAX-Packet-Data-Flow-Id += 110 WiMAX-Service-Data-Flow-Id += 110 WiMAX-Service-Profile-Id+= 110 Where the services listed are defined on the ASN-GW with those ID numbers. Which of the above methods to use is going to depend on your requirements. Having said that, Alvarion has had a history of... creative... interpretations of various standards. Without a sample Access-Accept that apparently works when using the Filter-Id I can't compare. I would do the following: Ensure there aren't any differences in the non-QOS attributes being returned in the two separate cases: the working Filter-Id network entry and the second failing case. Alvarion's errors aren't always explanatory or related to the actual root cause so the strange error you are getting may be related to services, or may be related to an EAP or other underlying issue. Again, I don't have an Alvarion ASN-GW so I can't tell you. Once you are sure there are not any other EAP issues, it may be easier to use the second method to provision services until you actually understand the details of the packet flow descriptor and qos descriptor. Your ASN-GW may or may not have the same requirements as ours depending on which WMF release is supported, and how well that release is supported. Ben -Original Message- From: freeradius-users- bounces+wiechman.lists=gmail@lists.freeradius.org [mailto:freeradius-users- bounces+wiechman.lists=gmail@lists.freeradius.org] On Behalf Of Anup Sent: Thursday, October 07, 2010 12:19 AM To: FreeRadius users mailing list Subject: Re: WiMax VSA Support - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about NAS-Port attribute when using freeradiusclient
Hello All I am using freeradiusclient in combination with PPP in order to setup RADIUS authentication for PPTP users. Actually, I managed to authenticate users using RADIUS but I noticed that the NAS-Port attribute which is sent to RADIUS server is always 0. Is this normal? Is there any way to generate proper values for NAS-Port? Is this attribute set by radiusclient or is it extracted from somewhere else? (PPP, maybe?) Warm Regards Ali Majdzadeh Kohbanani - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html