Re: RADIUS attributes: acctoutputoctects and acctinputoctect inmikrotik
On Tue, May 19, 2009 at 9:10 AM, liran tal wrote: > Hey Santiago, > I am in a need to get a Nomadix AG3100 gateway to do the same thing as you > have done - get it authenticate > to FreeRADIUS and redirect to portal pages for a simple user/pass login. > I've exchanged a bunch of emails with their support team (which is awful) > and read their guides but it's > terribly cumbersome and seems that some kind of XML interface is required to > be implemented. > I was hoping to get some pointers from you on getting this working, > We have implemented a solution with the Nomadix access gateway, using an external web server and the XML Web Services interface. If you just needs simple RADIUS login it is easiest to use the internal web server (IWS), this can be configured without using the XML web services. See the User Manual to understand how this works, We have had no problems with Nomadix to interact with FreeRADIUS and other RADIUS servers. --- mvh Brage Rønning Tukkensæter Trådløse Trondheim AS - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS attributes: acctoutputoctects and acctinputoctect inmikrotik
Hey Santiago, I am in a need to get a Nomadix AG3100 gateway to do the same thing as you have done - get it authenticate to FreeRADIUS and redirect to portal pages for a simple user/pass login. I've exchanged a bunch of emails with their support team (which is awful) and read their guides but it's terribly cumbersome and seems that some kind of XML interface is required to be implemented. I was hoping to get some pointers from you on getting this working, Thanks, Liran. On Wed, Jul 25, 2007 at 9:57 AM, Santiago Balaguer García < santiago...@hotmail.com> wrote: > However, I work with a Nomadix 2000 and Nomadix 2100, and I did the same 10 > MB download. > > So I did a test downloading the last MT firmware version: 2.9.44 (10.4 MB): > > Nomadix [Acct-Input-Octets]: 12533328 > Nomadix [Acct-Output-Octets]: 271598 > Mikrotik[Acct-Input-Octets]: 248630 > Mikrotik[Acct-Output-Octets]: 11441495 > > Are you sure that it works fine? > > -- > From: ** > Reply-To: *FreeRadius users mailing list < > freeradius-users@lists.freeradius.org>* > To: *"FreeRadius users mailing list" < > freeradius-users@lists.freeradius.org>* > Subject: *Re: RADIUS attributes: acctoutputoctects and acctinputoctect > inmikrotik* > Date: *Tue, 24 Jul 2007 20:16:10 +0100* > >I have RouterOSv2.9 and input is input and output is output. > > > >Ivan Kalik > >Kalik Informatika ISP > > > > > >Dana 24/7/2007, "Santiago Balaguer García" > >pi¹e: > > > > >Hi, > > > > > > I am working with freeradius and mirkrotik routers since two years. > However, I have never realized that the radius attributes acctoutputoctects > and acctinputoctects are intechanged in mikrotik. > > > > > > Does anyone know ths mikrotik bug? > > > > > > SantiagoÉxitos, grandes clásicos y novedades. Un millón de > canciones en MSN Music. > > > > > > > > > > > > >- > >List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > -- > Recibe ofertas de empleo adaptadas a tu perfil. Introduce tu CV en MSN > Empleo. <http://g.msn.com/8HMBESES/2752??PS=47575> > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius attributes for cisco ip phone
Rupert Finnigan wrote: On 17/01/2008, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: I have hp procurve 3500yl switches for which i use mac based authentication against radius server. The radius server should assign the vlan's. The pc that hangs behind the phone get the correct vlan, but the phone doesn't. Are you connecting the phone to the wall socket, and then the PC to the "link" socket on the phone? If this is the case then it's working as it should do.. the HP switch NAS is authenticating the PC's MAC, and opening the switchport on the correct VLAN for the PC, and so the phone will be on that VLAN too - they're on the same ethernet segment. If you've got a PC linked via the phone, and you want the phone to be on one VLAN, and the PC on the other I believe you have to configure the switch-port as a trunk, and then configure the phone accordingly. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html HP ProCurve edge series can only dynamically assign a single untagged VLAN to any one switch port. It is not possible to create dynamic VLAN trunks. It may be possible to create a VLAN trunk statically, then leave the switch to do VLAN assignment, and just deny/allow access via the RADIUS server. -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius attributes for cisco ip phone
Hi, > HP ProCurve edge series can only dynamically assign a single untagged VLAN > to any one switch port. > It is not possible to create dynamic VLAN trunks. It may be possible to > create a VLAN trunk statically, then leave the switch to do VLAN > assignment, and just deny/allow access via the RADIUS server. ..and with Cisco switches you can assign a switchport vlan and a voice vlan for the port - with each servicing each device on the port - using multihost 802.1x method...but the cisco phone has, of couse, cisco-centric features. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius attributes for cisco ip phone
On 17/01/2008, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > I have hp procurve 3500yl switches for which i use mac based authentication > against radius server. > The radius server should assign the vlan's. > The pc that hangs behind the phone get the correct vlan, but the phone > doesn't. > Are you connecting the phone to the wall socket, and then the PC to the "link" socket on the phone? If this is the case then it's working as it should do.. the HP switch NAS is authenticating the PC's MAC, and opening the switchport on the correct VLAN for the PC, and so the phone will be on that VLAN too - they're on the same ethernet segment. If you've got a PC linked via the phone, and you want the phone to be on one VLAN, and the PC on the other I believe you have to configure the switch-port as a trunk, and then configure the phone accordingly. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius attributes for cisco ip phone
> >The phone doesn't seem to receive an ip. Is there an error in my config? > Depends. Where is IP address suposed to come from? radius? dhcp? If PC has static configuration all it needs is a correct VLAN and it will work. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius attributes for cisco ip phone
I have hp procurve 3500yl switches for which i use mac based authentication against radius server. The radius server should assign the vlan's. The pc that hangs behind the phone get the correct vlan, but the phone doesn't. The radius userfile contains this for the phone(for the pc i have the same structure, only different vlan): 001c13d6b06f User-Password == "001c13d6b06f" Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-id = "20" The phone doesn't seem to receive an ip. Is there an error in my config? Stieven Struyf M.I.S. Division - System Operations Komatsu Europe International NV Mechelsesteenweg 586 B-1800 Vilvoorde [EMAIL PROTECTED] Tel. +32 (0)2 2552551 "The question of whether a computer can think is no more interesting than the question of whether a submarine can swim." -- E. W. Dijkstra "This e-mail is property of the company and is supposed to contain only professional content. The company can at all times consult the content of this e-mail and the reply to this e-mail. By replying to this e-mail, you confirm your explicit agreement with the preceding." "Deze e-mail is het eigendom van de Vennootschap en wordt verondersteld enkel beroepsmatige informatie te bevatten. De Vennootschap kan ten allen tijden de inhoud van deze e-mail en van het antwoord daarop raadplegen. Door het beantwoorden van deze e-mail bevestigt U uitdrukkelijk uw akkoord met het voorafgaande." - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS attributes: acctoutputoctects and acctinputoctect inmikrotik
On Wed 25 Jul 2007, Santiago Balaguer García wrote: > However, I work with a Nomadix 2000 and Nomadix 2100, and I did the same > 10 MB download. So I did a test downloading the last MT firmware version: > 2.9.44 (10.4 MB): > > Nomadix [Acct-Input-Octets]: 12533328 > Nomadix [Acct-Output-Octets]: 271598 > Mikrotik[Acct-Input-Octets]: 248630 > Mikrotik[Acct-Output-Octets]: 11441495 > Are you sure that it works fine? This would appear to show that the Microtik is correct and the Nomadix is wrong... If you ware downloading from the device the the bulk of the traffic should be in the Acct-Output-Octets counter (ie. Traffic Output from the device towards you) Cheers -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS attributes: acctoutputoctects and acctinputoctect inmikrotik
However, I work with a Nomadix 2000 and Nomadix 2100, and I did the same 10 MB download. So I did a test downloading the last MT firmware version: 2.9.44 (10.4 MB):Nomadix [Acct-Input-Octets]: 12533328Nomadix [Acct-Output-Octets]: 271598Mikrotik[Acct-Input-Octets]: 248630Mikrotik[Acct-Output-Octets]: 11441495 Are you sure that it works fine? From: <[EMAIL PROTECTED]>Reply-To: FreeRadius users mailing list To: "FreeRadius users mailing list" Subject: Re: RADIUS attributes: acctoutputoctects and acctinputoctect inmikrotikDate: Tue, 24 Jul 2007 20:16:10 +0100>I have RouterOSv2.9 and input is input and output is output.>>Ivan Kalik>Kalik Informatika ISP>>>Dana 24/7/2007, "Santiago Balaguer García" <[EMAIL PROTECTED]>>pi¹e:>> >Hi,> >> > I am working with freeradius and mirkrotik routers since two years. However, I have never realized that the radius attributes acctoutputoctects and acctinputoctects are intechanged in mikrotik.> >> > Does anyone know ths mikrotik bug?> >> > SantiagoÉxitos, grandes clásicos y novedades. Un millón de canciones en MSN Music.> >> >> >>>->List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.htmlRecibe ofertas de empleo adaptadas a tu perfil. Introduce tu CV en MSN Empleo. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS attributes: acctoutputoctects and acctinputoctect in mikrotik
I have RouterOSv2.9 and input is input and output is output. Ivan Kalik Kalik Informatika ISP Dana 24/7/2007, "Santiago Balaguer García" <[EMAIL PROTECTED]> piše: >Hi, > > I am working with freeradius and mirkrotik routers since two years. > However, I have never realized that the radius attributes acctoutputoctects > and acctinputoctects are intechanged in mikrotik. > > Does anyone know ths mikrotik bug? > > SantiagoÉxitos, grandes clásicos y novedades. Un millón de > canciones en MSN Music. > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RADIUS attributes: acctoutputoctects and acctinputoctect in mikrotik
Hi, I am working with freeradius and mirkrotik routers since two years. However, I have never realized that the radius attributes acctoutputoctects and acctinputoctects are intechanged in mikrotik. Does anyone know ths mikrotik bug? SantiagoÉxitos, grandes clásicos y novedades. Un millón de canciones en MSN Music. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius attributes and APs
=?ISO-8859-1?Q?Manuel_S=E1nchez_Cuenca?= <[EMAIL PROTECTED]> wrote: > I can't this link in the wiki. Can you put here the link to the specific > url in the wiki? I put the information on the "Linksys" and "Cisco" pages. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius attributes and APs
I'm all up for that and I'll add my contribution to the wiki of the AP's I've encountered. On 11/25/06, David Mitton <[EMAIL PROTECTED]> wrote: On 11/23/2006 02:09 PM, Alan DeKok wrote: >Manuel Sanchez Cuenca wrote: > > Alan DeKok escribió: > > >> Do you have a more specific question? > >> > > But not all APs enforce the Radius attributes. For example the Linksys > > wrt54g doesn't takes into account the session timeout attribute. So, can > > you tell me any AP which enforces this attribute, and others? > > If there was such a list, it would be up on freeradius.org, or on the >wiki. That is, you're asking on the FreeRADIUS list about NAS >documentation. > > I suggest picking an AP, and then reading its documentation to see if >it supports the attributes, or asking the NAS vendor. > > Alan DeKok. >-- The problem with compiling such a list is acquiring the equipment to test. Most of us just buy a couple APs and live with with we get. I discovered that the Linksys didn't honor Session-Timeouts when I captured it screwing up EAP-POTP sessions in progress, despite our RADIUS server providing Session-Timeout values in every EAP exchange. I think it's actually not properly implementing the 802.1x state machine in it's timeout behavior. And I didn't go looking for this. It was brought to my attention when someone else had a problem. The only AP that I know that works for everything I throw at it, during development, is the Cisco Aironet 1200 series. The only problem is that it's not cheap. But it works for me, so I don't try others. Dave. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius attributes and APs
Alan DeKok escribió: David Mitton wrote: The problem with compiling such a list is acquiring the equipment to test. Adding up everyone on this list, we can probably account for most networking equipment sold in the past 10 years. The problem is getting that information out, and into the public arena. I discovered that the Linksys didn't honor Session-Timeouts when I captured it screwing up EAP-POTP sessions in progress, despite our RADIUS server providing Session-Timeout values in every EAP exchange. I think it's actually not properly implementing the 802.1x state machine in it's timeout behavior. I've updated the Wiki with a pointer to this message. :) I can't this link in the wiki. Can you put here the link to the specific url in the wiki? Thanks. The only AP that I know that works for everything I throw at it, during development, is the Cisco Aironet 1200 series. The only problem is that it's not cheap. But it works for me, so I don't try others. I've updated the Wiki with that information, too. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - Manuel Sanchez Cuenca Departamento de Ingenieria de la Informacion y las Comunicaciones Facultad de Informatica. Universidad de Murcia Campus de Espinardo - 30080 Murcia (SPAIN) Tel.: +34-968-364644Fax: +34-968-364151 email: [EMAIL PROTECTED] | [EMAIL PROTECTED] url: http://libra.inf.um.es/~lolo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius attributes and APs
David Mitton wrote: > The problem with compiling such a list is acquiring the equipment to test. Adding up everyone on this list, we can probably account for most networking equipment sold in the past 10 years. The problem is getting that information out, and into the public arena. > I discovered that the Linksys didn't honor Session-Timeouts when I > captured it screwing up EAP-POTP sessions in progress, despite our > RADIUS server providing Session-Timeout values in every EAP exchange. > I think it's actually not properly implementing the 802.1x state machine > in it's timeout behavior. I've updated the Wiki with a pointer to this message. :) > The only AP that I know that works for everything I throw at it, during > development, is the Cisco Aironet 1200 series. The only problem is > that it's not cheap. But it works for me, so I don't try others. I've updated the Wiki with that information, too. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius attributes and APs
On 11/23/2006 02:09 PM, Alan DeKok wrote: Manuel Sanchez Cuenca wrote: > Alan DeKok escribió: >> Do you have a more specific question? >> > But not all APs enforce the Radius attributes. For example the Linksys > wrt54g doesn't takes into account the session timeout attribute. So, can > you tell me any AP which enforces this attribute, and others? If there was such a list, it would be up on freeradius.org, or on the wiki. That is, you're asking on the FreeRADIUS list about NAS documentation. I suggest picking an AP, and then reading its documentation to see if it supports the attributes, or asking the NAS vendor. Alan DeKok. -- The problem with compiling such a list is acquiring the equipment to test. Most of us just buy a couple APs and live with with we get. I discovered that the Linksys didn't honor Session-Timeouts when I captured it screwing up EAP-POTP sessions in progress, despite our RADIUS server providing Session-Timeout values in every EAP exchange. I think it's actually not properly implementing the 802.1x state machine in it's timeout behavior. And I didn't go looking for this. It was brought to my attention when someone else had a problem. The only AP that I know that works for everything I throw at it, during development, is the Cisco Aironet 1200 series. The only problem is that it's not cheap. But it works for me, so I don't try others. Dave. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius attributes and APs
Manuel Sanchez Cuenca wrote: > Alan DeKok escribió: >> Do you have a more specific question? >> > But not all APs enforce the Radius attributes. For example the Linksys > wrt54g doesn't takes into account the session timeout attribute. So, can > you tell me any AP which enforces this attribute, and others? If there was such a list, it would be up on freeradius.org, or on the wiki. That is, you're asking on the FreeRADIUS list about NAS documentation. I suggest picking an AP, and then reading its documentation to see if it supports the attributes, or asking the NAS vendor. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius attributes and APs
Alan DeKok escribió: Manuel Sánchez Cuenca wrote: Can anybody tell me any Access Point which understand and enforce some radius attributes returned by freeradius, such as Session-Timeout. Access points implement RADIUS, so they understand RADIUS attributes. Do you have a more specific question? But not all APs enforce the Radius attributes. For example the Linksys wrt54g doesn't takes into account the session timeout attribute. So, can you tell me any AP which enforces this attribute, and others? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius attributes and APs
Manuel Sánchez Cuenca wrote: > Can anybody tell me any Access Point which understand and enforce some > radius attributes returned by freeradius, such as Session-Timeout. Access points implement RADIUS, so they understand RADIUS attributes. Do you have a more specific question? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius attributes and APs
Can anybody tell me any Access Point which understand and enforce some radius attributes returned by freeradius, such as Session-Timeout. Thanks in advance. -- - Manuel Sanchez Cuenca Departamento de Ingenieria de la Informacion y las Comunicaciones Facultad de Informatica. Universidad de Murcia Campus de Espinardo - 30080 Murcia (SPAIN) Tel.: +34-968-364644Fax: +34-968-364151 email: [EMAIL PROTECTED] | [EMAIL PROTECTED] url: http://libra.inf.um.es/~lolo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AP and radius attributes
On Mon 30 Oct 2006 19:32, Manuel Sánchez Cuenca wrote: > Hello all, > > does anybody knows if the linksys wrt54g AP support any radius > attribute, such as Session-Timeout. Anyway, can anybody tell me which > APs applies the radius attributes sent by the freeradius server after a > successful authentication? You need to check your APs documentation for this. If you wish you can start a list in the wiki. Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AP and radius attributes
Hello all, does anybody knows if the linksys wrt54g AP support any radius attribute, such as Session-Timeout. Anyway, can anybody tell me which APs applies the radius attributes sent by the freeradius server after a successful authentication? Thanks in advance. -- - Manuel Sanchez Cuenca Departamento de Ingenieria de la Informacion y las Comunicaciones Facultad de Informatica. Universidad de Murcia Campus de Espinardo - 30080 Murcia (SPAIN) Tel.: +34-968-364644Fax: +34-968-364151 email: [EMAIL PROTECTED] | [EMAIL PROTECTED] url: http://libra.inf.um.es/~lolo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius Attributes
Hello all, How must I configure my freeradius server to include in the Access-Accept response to the AP several radius attributes such as Session-Timeout or Framed-IP-Address? Thanks in advance. -- - Manuel Sanchez Cuenca Departamento de Ingenieria de la Informacion y las Comunicaciones Facultad de Informatica. Universidad de Murcia Campus de Espinardo - 30080 Murcia (SPAIN) Tel.: +34-968-364644Fax: +34-968-364151 email: [EMAIL PROTECTED] | [EMAIL PROTECTED] url: http://libra.inf.um.es/~lolo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Autoreply: Re: LDAP retrieve additional attributes and map to radius attributes
Attualmente non sono in sede. Per richieste urgenti contattare lo 800 919299 o inviare una mail a [EMAIL PROTECTED] oppure a [EMAIL PROTECTED] Cordiali Saluti Giuseppe Parlato Area Network mailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP retrieve additional attributes and map to radius attributes
Figured it out.. Just enabled access_attr=product_id ldap attr. Thanks. --- Workout Yahoo <[EMAIL PROTECTED]> wrote: > Sorry for couple of mails but if someone give me a > right direction where to look that will be great. As > wiki is down, its hard for me to look for the > answer. > > Thanks and Regards. > > --- Dennis Skinner <[EMAIL PROTECTED]> wrote: > > > Workout Yahoo wrote: > > > Can someone please help me out with this issue? > > Will > > > really appreciate. > > > > We got your email. 3 times now in 2 days. Please > > be patient, this is > > not a paid support forum; you are not guaranteed > > answers in 30 minutes > > or less. If you annoy people by repeatedly > posting > > the same exact > > question, you will be ignored. > > > > -- > > Dennis Skinner > > Systems Administrator > > BlueFrog Internet > > http://www.bluefrog.com > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > > __ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam > protection around > http://mail.yahoo.com > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP retrieve additional attributes and map to radius attributes
Sorry for couple of mails but if someone give me a right direction where to look that will be great. As wiki is down, its hard for me to look for the answer. Thanks and Regards. --- Dennis Skinner <[EMAIL PROTECTED]> wrote: > Workout Yahoo wrote: > > Can someone please help me out with this issue? > Will > > really appreciate. > > We got your email. 3 times now in 2 days. Please > be patient, this is > not a paid support forum; you are not guaranteed > answers in 30 minutes > or less. If you annoy people by repeatedly posting > the same exact > question, you will be ignored. > > -- > Dennis Skinner > Systems Administrator > BlueFrog Internet > http://www.bluefrog.com > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP retrieve additional attributes and map to radius attributes
Workout Yahoo wrote: > Can someone please help me out with this issue? Will > really appreciate. We got your email. 3 times now in 2 days. Please be patient, this is not a paid support forum; you are not guaranteed answers in 30 minutes or less. If you annoy people by repeatedly posting the same exact question, you will be ignored. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP retrieve additional attributes and map to radius attributes
Can someone please help me out with this issue? Will really appreciate. Thanks in advance. --- Workout Yahoo <[EMAIL PROTECTED]> wrote: > Hi, Sorry if this question is a repeat but I saw the > mail archives and not able to find what I am looking > for. > > We are using freeradius to connect to LDAP server. > I can able to authenticate with the radius sever > fine. > > Now I want to retrieve ldap attribute called > productId. Depends on the productId, I have to give > access the users. > > If the productId=1234, then all the users will get > access. If not..no access. > > After reading the mail archives and documentation, I > saw I need to do changes in > /etc/raddb/dictionary,/etc/raddb/users, > /etc/raddb/ldap.attrmap > > Can you please explain me what is the right config I > need to modify. > > You help is really appreciated. > Thanks and regards. > > > Here is the radiusd.conf for ldap. > > ldap { > > server = "testldap.xyz.com" > identity = "cn=Directory Manager" > password = 1223 > basedn = "dc=test1213,dc=household,o=internet" > > > filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" > encryption_scheme = crypt > start_tls = no > dictionary_mapping = ${raddbdir}/ldap.attrmap > > ldap_connections_number = 5 > > password_attribute = userPassword > timeout = 4 > timelimit = 3 > net_timeout = 1 > > #compare_check_items = yes > #do_xlat = yes > # access_attr_used_for_allow = yes > > } > > __ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam > protection around > http://mail.yahoo.com > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP retrieve additional attributes and map to radius attributes
Hi, Sorry if this question is a repeat but I saw the mail archives and not able to find what I am looking for. We are using freeradius to connect to LDAP server. I can able to authenticate with the radius sever fine. Now I want to retrieve ldap attribute called productId. Depends on the productId, I have to give access the users. If the productId=1234, then all the users will get access. If not..no access. After reading the mail archives and documentation, I saw I need to do changes in /etc/raddb/dictionary,/etc/raddb/users, /etc/raddb/ldap.attrmap Can you please explain me what is the right config I need to modify. You help is really appreciated. Thanks and regards. Here is the radiusd.conf for ldap. ldap { server = "testldap.xyz.com" identity = "cn=Directory Manager" password = 1223 basedn = "dc=test1213,dc=household,o=internet" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" encryption_scheme = crypt start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_attribute = userPassword timeout = 4 timelimit = 3 net_timeout = 1 #compare_check_items = yes #do_xlat = yes # access_attr_used_for_allow = yes } __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP retrieve additional attributes and map to radius attributes
Hi, Sorry if this question is a repeat but I saw the mail archives and not able to find what I am looking for. We are using freeradius to connect to LDAP server. I can able to authenticate with the radius sever fine. Now I want to retrieve ldap attribute called productId. Depends on the productId, I have to give access the users. If the productId=1234, then all the users will get access. If not..no access. After reading the mail archives and documentation, I saw I need to do changes in /etc/raddb/dictionary,/etc/raddb/users, /etc/raddb/ldap.attrmap Can you please explain me what is the right config I need to modify. You help is really appreciated. Thanks and regards. Here is the radiusd.conf for ldap. ldap { server = "testldap.xyz.com" ### identity = "cn=Directory Manager" ### password = 1223 ### basedn = "dc=test1213,dc=household,o=internet" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" encryption_scheme = crypt start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_attribute = userPassword timeout = 4 timelimit = 3 net_timeout = 1 #compare_check_items = yes #do_xlat = yes # access_attr_used_for_allow = yes ### } __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sending radius attributes....
Is there any way to send back specific radius attributes based on a sql query? So, say I have a user, and then I want to sernd back a specific attribute based on some other information. Is this a case for a custom module? -Bob - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius attributes necessary for PPP connection into Cisco modem-bank
> > > > If you control the Cisco modem bank and the RADIUS server, then you > > can configure the RADIUS server to send the "right" attributes back to > > the Cisco bank. > > > > It SHOULD do this by default. Also, consult the Cisco documentation > > to see what attributes it needs to establish a PPP connection, and > > then make FreeRADIUS send those attributes. > An excellent tip and not one i had considered, thanks again. > For dial-up PPP w/ Cisco NAS, we use the following radius reply attrs Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Netmask 255.255.255.0 Framed-Routing = None Not sure what is needed or isn't, but its working with those reply values. Hope that at least leads you in the right direction for searching Cisco's docs. -Dusty Doris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius attributes necessary for PPP connection into Cisco modem-bank
On Jun 16, 2005, at 2:15 PM, Alan DeKok wrote: Mike Partyka <[EMAIL PROTECTED]> wrote:.. Please don't CC me. I already get enough mail. Sorry i think i just replied then just before sending thought i CC the list. i won't do that again. The modem dials out to the Cisco modem bank, the modem bank (i am guessing here, as i am not this far) is configured to authenticate against Radius. Radius is configured to talk to Mysql and uses a query that checks the username/password, based on the exit status it accepts or denies the connection request to the modem. Yes... (barring the "exit status" confusion) Maybe that was a bad way to describe it, but i really just mean accept connection if the userame/password returns true deny if the query returns false. As i said my PPP knowledge is weak, but isn't what i described part of the PAP/CHAP handshake process that Radius is configured to use? No. Your model does PPP, as does the other end. You do PAP/CHAP over PPP. The other end takes that PAP/CHAP, and puts it into RADIUS. I see, thanks for the clarification. *Your* end never sees the RADIUS packets, and never talks to the MySQL server. You original post made it sound like that's what you wanted to do. Ahh, i see why you said it would never work, my initial post wasn't a good description. If you control the Cisco modem bank and the RADIUS server, then you can configure the RADIUS server to send the "right" attributes back to the Cisco bank. It SHOULD do this by default. Also, consult the Cisco documentation to see what attributes it needs to establish a PPP connection, and then make FreeRADIUS send those attributes. An excellent tip and not one i had considered, thanks again. Regards, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius attributes necessary for PPP connection into Cisco modem-bank
Mike Partyka <[EMAIL PROTECTED]> wrote:.. Please don't CC me. I already get enough mail. > The modem dials out to the Cisco modem bank, the modem bank (i am > guessing here, as i am not this far) is configured to authenticate > against Radius. Radius is configured to talk to Mysql and uses a > query that checks the username/password, based on the exit status it > accepts or denies the connection request to the modem. Yes... (barring the "exit status" confusion) > As i said my PPP knowledge is weak, but isn't what i described part > of the PAP/CHAP handshake process that Radius is configured to use? No. Your model does PPP, as does the other end. You do PAP/CHAP over PPP. The other end takes that PAP/CHAP, and puts it into RADIUS. *Your* end never sees the RADIUS packets, and never talks to the MySQL server. You original post made it sound like that's what you wanted to do. If you control the Cisco modem bank and the RADIUS server, then you can configure the RADIUS server to send the "right" attributes back to the Cisco bank. It SHOULD do this by default. Also, consult the Cisco documentation to see what attributes it needs to establish a PPP connection, and then make FreeRADIUS send those attributes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius attributes necessary for PPP connection into Cisco modem-bank
On Jun 16, 2005, at 1:29 PM, Alan DeKok wrote: You are trying to authenticate a modem connection... which means you can't use it until it's authenticated. Which means you can't use it to get data from the other end to do the authentication. Maybe I'm confused by your description, but what you described is impossible Let me take another stab at describing it and maybe it'll help.The modem dials out to the Cisco modem bank, the modem bank (i am guessing here, as i am not this far) is configured to authenticate against Radius. Radius is configured to talk to Mysql and uses a query that checks the username/password, based on the exit status it accepts or denies the connection request to the modem.As i said my PPP knowledge is weak, but isn't what i described part of the PAP/CHAP handshake process that Radius is configured to use? Please correct me if i am mistaken.Thanks, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius attributes necessary for PPP connection into Cisco modem-bank
Mike Partyka <[EMAIL PROTECTED]> wrote: > I just don't understand what are the necessary attributes that > Radius has to pass back to the modem in order for the connection to > be made. See the PPP documentation. It should tell you. > The modem is dialing into a Cisco modem bank here at our office > where the Mysql databse is as well. Huh? You're trying to authenticate a connection... by using something at the other end of that connection? That won't *ever* work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius attributes necessary for PPP connection into Cisco modem-bank
I have been asked to setup Radius to authenticate a modem connection by connecting to our Mysql database. I have read the Radius documentation more than once and i attribute my difficulties to a poor understanding of PPP connections on Linux. I just don't understand what are the necessary attributes that Radius has to pass back to the modem in order for the connection to be made. The modem is dialing into a Cisco modem bank here at our office where the Mysql databse is as well. I have been given a query for Radius to do that will get the authentication from Mysql but i am so far from that portion of the setup, i don't know where to look first. >From where i stand it seems like i could keep reading the Radius documentation and still never understand what needs to be done because i am lacking some more fundamental information that is required to put the pieces together. Can anyone point me to some basic documentation that might firm up my understanding of what needs to be done? Thanks, Mike Partyka Jumpnode Systems, LLC Systems Administrator (612)605-5056 Desk (612)605-3510 Fax - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS attributes
vicky <[EMAIL PROTECTED]> wrote: > You are not the one confused, it is more likely that I'm speaking > gibberish. Describing exactly what you see, and what you want would help a lot. If you describe your problem in only one sentence, then most people have no idea what you mean. And using phrases like "configured attributes" is confusing, because no one knows what you mean. > If my server receives the (all!) attributes from any NAS in the > request then problem solved. But, the request piece in the debugger > is so small, I had a doubt that I couldn't see all attributes in > there, but if you say so... That's a good description of what you want. And yes, the answer is all of the attributes sent by the NAS are printed in debugging mode. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS attributes
Exactly, what I meant by client is NAS not PC. You are not the one confused, it is more likely that I'm speaking gibberish. If my server receives the (all!) attributes from any NAS in the request then problem solved. But, the request piece in the debugger is so small, I had a doubt that I couldn't see all attributes in there, but if you say so... Enormous thanks! Vicky Michael Mitchell wrote: Maybe I'm just really confused, but the attributes that the client has "set" are the ones that the server receives in the request... Maybe you need to define what you mean by client... A "client" is something that sends RADIUS requests to a radius server, eg a Network Access Server (NAS) of some sort. If by "client" you mean for example a PC that is using a modem to dial up to a network, then the answer is "it doesn't set any attributes". It may however supply some values (like a username and password) that the NAS will populate some RADIUS attributes with. regards, Mike (same Mike, different email address ;-) ) vicky wrote: Mitchell (and all the rest), Thanks for your answer but what I meant was : Of all freeRADIUS attributes that exists, I want to know exactly witch once the "client" (the one on the other side who is trying to connect to my server) has set (configured) and to which value. Is this feasible? Thanks again, Vicky - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Vicky El Fhaily Integration Manager TRUSTIVE (France) WTC 2, Les Bouillides 120, Route des Macarons Parc de Sophia Antipolis 06560 Valbonne, France Phone: +33 493 65 25 63 Fax: +33 493 65 21 56 www.trustive.com / www.corp.trustive.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS attributes
Maybe I'm just really confused, but the attributes that the client has "set" are the ones that the server receives in the request... Maybe you need to define what you mean by client... A "client" is something that sends RADIUS requests to a radius server, eg a Network Access Server (NAS) of some sort. If by "client" you mean for example a PC that is using a modem to dial up to a network, then the answer is "it doesn't set any attributes". It may however supply some values (like a username and password) that the NAS will populate some RADIUS attributes with. regards, Mike (same Mike, different email address ;-) ) vicky wrote: Mitchell (and all the rest), Thanks for your answer but what I meant was : Of all freeRADIUS attributes that exists, I want to know exactly witch once the "client" (the one on the other side who is trying to connect to my server) has set (configured) and to which value. Is this feasible? Thanks again, Vicky - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS attributes
Mitchell (and all the rest), Thanks for your answer but what I meant was : Of all freeRADIUS attributes that exists, I want to know exactly witch once the "client" (the one on the other side who is trying to connect to my server) has set (configured) and to which value. Is this feasible? Thanks again, Vicky - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RADIUS attributes
>Hi Alan, >Thanks for your answer but that is unfortunately not what I >had hoped for. What I'm actually looking for is a way to >retrieve the configured attributes of some one that is trying >to connect to my freeRADIUS server. Is that possible? Configured where? Do you mean you want to see what is received in the RADIUS request? They're shown when the request is received. This can also be logged. Take a look at auth_log (and reply_log) in the radiusd.conf file. Hope that helps? Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS attributes
Hi Alan, Thanks for your answer but that is unfortunately not what I had hoped for. What I'm actually looking for is a way to retrieve the configured attributes of some one that is trying to connect to my freeRADIUS server. Is that possible? Best, Vicky Alan DeKok wrote: vicky <[EMAIL PROTECTED]> wrote: I was wondering if RADIUS attributes show when I run the server in debug mode. It spits out a lot of things, is the configured attributes there between? In other words, does one see the attributes configured just by looking at the output from the debugger? For some attributes, yes. The debug mode generally prints out what module did what, which enables you to read your configuration files, to discover which attributes are matched. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Vicky El Fhaily Integration Manager TRUSTIVE (France) WTC 2, Les Bouillides 120, Route des Macarons Parc de Sophia Antipolis 06560 Valbonne, France Phone: +33 493 65 25 63 Fax: +33 493 65 21 56 www.trustive.com / www.corp.trustive.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS attributes
vicky <[EMAIL PROTECTED]> wrote: > I was wondering if RADIUS attributes show when I run the server in debug > mode. It spits out a lot of things, is the configured attributes there > between? In other words, does one see the attributes configured just by > looking at the output from the debugger? For some attributes, yes. The debug mode generally prints out what module did what, which enables you to read your configuration files, to discover which attributes are matched. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RADIUS attributes
Hi guys and girls! I was wondering if RADIUS attributes show when I run the server in debug mode. It spits out a lot of things, is the configured attributes there between? In other words, does one see the attributes configured just by looking at the output from the debugger? Thanks all! Peace Vicky - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mapping a single LDAP attribute to multiple radius attributes
Michael Griego <[EMAIL PROTECTED]> wrote: > Or, instead of using the Autz-Type attribute, use the new rlm_policy > module in CVS to selectively call instance ldap1 or ldap2 based on the > huntgroup. I don't think that works quite as yet. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mapping a single LDAP attribute to multiple radius attributes
Create two instances of the LDAP module, ie ldap1 and ldap2. In instance ldap1, have one attrmap (perhaps called ldap1.attrmap) with the LDAP attribute mapped one way and with intance ldap2, have a different attrmap (perhaps called ldap2.attrmap) with the LDAP attribute mapped a different way. Then, for huntgroup A, set the Autz-Type to ldap1, and for huntgroup B, set the Autz-Type to ldap2. Or, instead of using the Autz-Type attribute, use the new rlm_policy module in CVS to selectively call instance ldap1 or ldap2 based on the huntgroup. --Mike Mitchell, Michael J wrote: I'm after some suggestions to a problem I'm facing… Can anyone think of a way to map a single LDAP attribute to one of a choice of radius attributes depending on the type of NAS that made the request? Ie, if the request came from NAS type A, then map the LDAP attribute to radius attribute blah-X but if the request came from NAS type B, then map the LDAP attribute to radius attribute blah-Y I can use huntgroups to group my NAS's together obviously, but I'm not sure of a method to map the LDAP attribute based on this? (other than modifying the LDAP module to do what I want… Performance is a fairly important consideration also. I think that LDAP attributes returned in a search are only visible from within the LDAP module if the attribute is not mapped to a RADIUS attribute? This being the case, I could define a new "vendor specific" RADIUS attribute as a temporary holder for this value, so that another module can take care of the real mapping. Any suggestions would be greatly welcomed, and thanks in advance for your thoughts… Regards, Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mapping a single LDAP attribute to multiple radius attributes
Title: Mapping a single LDAP attribute to multiple radius attributes I'm after some suggestions to a problem I'm facing… Can anyone think of a way to map a single LDAP attribute to one of a choice of radius attributes depending on the type of NAS that made the request? Ie, if the request came from NAS type A, then map the LDAP attribute to radius attribute blah-X but if the request came from NAS type B, then map the LDAP attribute to radius attribute blah-Y I can use huntgroups to group my NAS's together obviously, but I'm not sure of a method to map the LDAP attribute based on this? (other than modifying the LDAP module to do what I want… Performance is a fairly important consideration also. I think that LDAP attributes returned in a search are only visible from within the LDAP module if the attribute is not mapped to a RADIUS attribute? This being the case, I could define a new "vendor specific" RADIUS attribute as a temporary holder for this value, so that another module can take care of the real mapping. Any suggestions would be greatly welcomed, and thanks in advance for your thoughts… Regards, Mike
Re: 3GPP radius Attributes
Hemanth Mysore <[EMAIL PROTECTED]> wrote: > If possible can You Please tell me about the Radius Testing tool > which supports these Attributes or any other possibilities to test > this , FreeRADIUS includes 3GPP attributes in it's dictionaries. Therefore, "radclient" supports them, too. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
3GPP radius Attributes
Hi All , I am doing Radius Accouting functionality testing for GGSN. It includes some 3GPP Vendor Specific Radius Attributes such as IMSI,Charging ID etc. If possible can You Please tell me about the Radius Testing tool which supports these Attributes or any other possibilities to test this , Thanking You All in Advance , With Regards Hemanth Do you Yahoo!?Friends. Fun. Try the all-new Yahoo! Messenger
Re: About Radius Attributes
Lara Adianto <[EMAIL PROTECTED]> wrote: > What I need is some > real-case examples. For example: > - Example of Radius client that asks for service-type > outbound, and what kind of devices it wants to be > granted access. I can't help you there, sorry. > - Similarly, example of Radius client that asks for > service-type administrative, NAS Prompt, Callback NAS > Prompt, Call Check, and maybe some scenarios in which > they are used ? I would think it's obvious what they mean. The RFC's also describe what they mean, so I'm not sure what else you're looking for. > I understand that it depends of my own configuration. > But I'm interested to know about the common practice > out there. Would you care to elaborate more ? I'm > still new to the Radius concept. Buy the RADIUS book. > Can you please provide me with some links to any NAS > vendor documentation ? I don't have any specific NAS > in mind currently. Then your questions about NAS behavior are pretty much irrelevant. If you're trying to understand how RADIUS works, buy the book. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: About Radius Attributes
Hi Alan, >> 1. In which case will a radius client request for the >> above service type or which radius clients usually >> request for the above service-type ? > http://www.freeradius.org/rfc/attributes.html > Click on "Service-Type", and it will tell you what >those values mean, and when they're used. I actually posted the question after reading the RFC. The RFC tells you a lot about the standard, but not about the current practice. What I need is some real-case examples. For example: - Example of Radius client that asks for service-type outbound, and what kind of devices it wants to be granted access. - Similarly, example of Radius client that asks for service-type administrative, NAS Prompt, Callback NAS Prompt, Call Check, and maybe some scenarios in which they are used ? >> 2. What attributes are usually returned in the >> access-accept packet for the above service type ? > It depends on your local configuration. I understand that it depends of my own configuration. But I'm interested to know about the common practice out there. Would you care to elaborate more ? I'm still new to the Radius concept. >> For Service-type PPP / SLIP requested, is there any >> MANDATORY attributes that need to be returned by the >> radius server in the access-accept packet >> (Framed-IP-Address, Framed-MTU, etc) ? > See the RFC's, and your NAS vendor documentation. Can you please provide me with some links to any NAS vendor documentation ? I don't have any specific NAS in mind currently. >> If the >> Framed-IP-Address is not a mandatory attribute to be >> returned for service-type PPP, how will the NAS decide >> the IP Address assigned to the user ? > See the NAS documentation. It depends on the NAS. > Alan DeKok. = La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit - Guy de Maupassant - __ Do you Yahoo!? SBC Yahoo! - Internet access at a great low price. http://promo.yahoo.com/sbc/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: About Radius Attributes
Lara Adianto <[EMAIL PROTECTED]> wrote: > 1. In which case will a radius client request for the > above service type or which radius clients usually > request for the above service-type ? http://www.freeradius.org/rfc/attributes.html Click on "Service-Type", and it will tell you what those values mean, and when they're used. > 2. What attributes are usually returned in the > access-accept packet for the above service type ? It depends on your local configuration. > For Service-type PPP / SLIP requested, is there any > MANDATORY attributes that need to be returned by the > radius server in the access-accept packet > (Framed-IP-Address, Framed-MTU, etc) ? See the RFC's, and your NAS vendor documentation. > If the > Framed-IP-Address is not a mandatory attribute to be > returned for service-type PPP, how will the NAS decide > the IP Address assigned to the user ? See the NAS documentation. It depends on the NAS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
About Radius Attributes
Hello, I need some information about the following 'service-type' attribute: - Outbound - Administrative - NAS Prompt - Call Check - Callback NAS Prompt 1. In which case will a radius client request for the above service type or which radius clients usually request for the above service-type ? 2. What attributes are usually returned in the access-accept packet for the above service type ? For Service-type PPP / SLIP requested, is there any MANDATORY attributes that need to be returned by the radius server in the access-accept packet (Framed-IP-Address, Framed-MTU, etc) ? If the Framed-IP-Address is not a mandatory attribute to be returned for service-type PPP, how will the NAS decide the IP Address assigned to the user ? Thank you for any replies, lara = La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit - Guy de Maupassant - __ Do you Yahoo!? SBC Yahoo! - Internet access at a great low price. http://promo.yahoo.com/sbc/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html