Re: I can't get 'access-accept' from Linux clients (SOLVED)
2008/1/10, [EMAIL PROTECTED] [EMAIL PROTECTED]: Hi, Hi, I can't still figure it out why I can't access from Linux clients. I use version 1.1.7 of freeradius. Linux client is a Fedora 8 system. what is the linux client config? i see the following in your debug rlm_eap: Request found, released from the list rlm_eap: EAP/md5 rlm_eap: processing type md5 rlm_eap_md5: User-Password is required for EAP-MD5 authentication rlm_eap: Handler failed in EAP/md5 rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid for request 84 modcall: leaving group authenticate (returns invalid) for request 84 auth: Failed to validate the user. i would also advise that you upgrade to 2.0.0 - not only could this issue be resolves anyway - its a hell of a lof easier to debug - far less EAP messages! alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Well, Finally I get the blessed Access-Accept for Linux clients too. How I did that? Well, I upgraded to radius 2.0.1. maybe it could be helpful for many people my settings, well I won't hide as alchemy secret ;) radiusd.conf prefix = /usr/local exec_prefix = ${prefix} sysconfdir = ${prefix}/etc localstatedir = ${prefix}/var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd log_file = ${logdir}/radius.log libdir = ${exec_prefix}/lib pidfile = ${run_dir}/radiusd.pid user = radiusd group = radiusd max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = xxx.qq.yyy.pp port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions= yes log_stripped_names = no log_auth = no log_auth_badpass = no log_auth_goodpass = no usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = yes $INCLUDE ${confdir}/proxy.conf $INCLUDE ${confdir}/clients.conf snmp= no $INCLUDE ${confdir}/snmp.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { pap { auto_header = yes } chap { authtype = CHAP } pam { pam_auth = radiusd } $INCLUDE ${confdir}/eap.conf mschap { use_mppe = no require_encryption = yes } ldap { server = ldap.cadorna.biz port = 636 identity = cn=freeradius,ou=applications,dc=cadorna,dc=biz password = sambombas basedn = ou=people,dc=palermo,dc=edu filter = (uid=%{Stripped-User-Name:-%{User-Name}}) ldap_debug = 0x0028 tls_cacertfile = /etc/raddb/cacert.pem tls_randfile= /dev/urandom tls_require_cert= allow access_attr = radiusAllowed dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_attribute = userPassword edir_account_policy_check=no timeout = 4 timelimit = 3 net_timeout = 1 } realm IPASS { format = prefix delimiter = / ignore_default = no ignore_null = no } realm suffix { format = suffix delimiter = @ ignore_default = no ignore_null = no } realm realmpercent { format = suffix delimiter = % ignore_default = no ignore_null = no } realm ntdomain { format = prefix delimiter = \\ ignore_default = no ignore_null = no } checkval { item-name = Calling-Station-Id check-name = Calling-Station-Id data-type = string } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users preproxy_usersfile = ${confdir}/preproxy_users compat = no } detail { detailfile =
Re: I can't get 'access-accept' from Linux clients (SOLVED)
Ooops, because of the emotion I pasted old config files. Well here are the fresh files: prefix = /usr/local2 exec_prefix = ${prefix} sysconfdir = ${prefix}/etc localstatedir = ${prefix}/var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd db_dir = $(raddbdir) libdir = ${exec_prefix}/lib pidfile = ${run_dir}/radiusd.pid user = radiusd group = radiusd max_request_time = 30 cleanup_delay = 5 max_requests = 1024 listen { ipaddr = zzz.zz.zz.zzz port = 0 type = auth } listen { ipaddr = zzz.zz.zz.zzz port = 0 type = acct } hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions= yes log { destination = files syslog_facility = daemon file = ${logdir}/radius.log stripped_names = no auth = yes auth_badpass = no auth_goodpass = no } checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = yes } proxy_requests = yes $INCLUDE proxy.conf $INCLUDE clients.conf snmp= no $INCLUDE snmp.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { pap { auto_header = yes } chap { authtype = CHAP } pam { pam_auth = radiusd } unix { radwtmp = ${logdir}/radwtmp } $INCLUDE eap.conf mschap { } ldap { server = ldap.cadorna.biz port = 636 identity = cn=freeradius,ou=applications,dc=cadorna,dc=biz password = sambombas basedn = ou=people,dc=cadorna,dc=biz filter = (uid=%{Stripped-User-Name:-%{User-Name}}) ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no cacertfile = /etc/raddb2/cacert.pem randfile= /dev/urandom require_cert= allow } access_attr = radiusAllowed dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no } realm IPASS { format = prefix delimiter = / } realm suffix { format = suffix delimiter = @ } realm realmpercent { format = suffix delimiter = % } realm ntdomain { format = prefix delimiter = \\ } checkval { item-name = Calling-Station-Id check-name = Calling-Station-Id data-type = string } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users preproxy_usersfile = ${confdir}/preproxy_users compat = no } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 header = %t } acct_unique { key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port } $INCLUDE sql.conf radutmp { filename = ${logdir}/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 0600 callerid = yes } radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = no } attr_filter attr_filter.post-proxy { attrsfile = ${confdir}/attrs } attr_filter attr_filter.pre-proxy { attrsfile = ${confdir}/attrs.pre-proxy } attr_filter attr_filter.access_reject { key = %{User-Name} attrsfile = ${confdir}/attrs.access_reject } attr_filter attr_filter.accounting_response { key = %{User-Name} attrsfile = ${confdir}/attrs.accounting_response } counter daily { filename = ${db_dir}/db.daily key
Re: I can't get 'access-accept' from Linux clients
2008/1/11, Arran Cudbard-Bell [EMAIL PROTECTED]: [EMAIL PROTECTED] wrote: Store cleartext passwords and all eap types will work. Real problem is the encrypted password not the eap type. Ivan Kalik Kalik Informatika ISP Dana 11/1/2008, Sergio Belkin [EMAIL PROTECTED] piše: 2008/1/10, Ivan Kalik [EMAIL PROTECTED]: ... rlm_ldap: Added password {SSHA}F8XliBuxscoShNf0k7RxlC7niB7ISswp in check items ... rlm_eap_md5: User-Password is required for EAP-MD5 authentication ... You can't use encrypted passwords with EAP-MD5. http://deployingradius.com/documents/protocols/compatibility.html Ivan Kalik Kalik Informatika ISP Thanks Ivan! So what default eap type should I use in mixed environment (I mean: Linux and Windows Clientes)? EAP-TTLS with PAP inner encryption. Though you'd need to use SecureW2 or the Open SEA supplicant for the windows side. Otherwise you'd need NT-Hashes for MSChap based methods Sorry for the stupid and moron question, but how should I do that? Of course I don't ask you that you tell me the step by step, only a clue to follow... thanks in advance , or the password stored in the clear. TIA -- Arran Cudbard-Bell ([EMAIL PROTECTED]) -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I can't get 'access-accept' from Linux clients
2008/1/11, Alan DeKok [EMAIL PROTECTED]: Sergio Belkin wrote: Alan, Thanks for clear up the confusion about EAP and PAP. But still I don't understand this: Now I have a windows client working using securew2 with PAP. If PAP is not into the tunnel Then you are not using securew2. It was about a question not a statement :) When you use TTLS + PAP, the passwords go in the tunnel. Ok thanks for your answer, that it was I was asking :) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I can't get 'access-accept' from Linux clients
Store cleartext passwords and all eap types will work. Real problem is the encrypted password not the eap type. Ivan Kalik Kalik Informatika ISP Dana 11/1/2008, Sergio Belkin [EMAIL PROTECTED] piše: 2008/1/10, Ivan Kalik [EMAIL PROTECTED]: ... rlm_ldap: Added password {SSHA}F8XliBuxscoShNf0k7RxlC7niB7ISswp in check items ... rlm_eap_md5: User-Password is required for EAP-MD5 authentication ... You can't use encrypted passwords with EAP-MD5. http://deployingradius.com/documents/protocols/compatibility.html Ivan Kalik Kalik Informatika ISP Thanks Ivan! So what default eap type should I use in mixed environment (I mean: Linux and Windows Clientes)? TIA -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I can't get 'access-accept' from Linux clients
2008/1/10, Ivan Kalik [EMAIL PROTECTED]: ... rlm_ldap: Added password {SSHA}F8XliBuxscoShNf0k7RxlC7niB7ISswp in check items ... rlm_eap_md5: User-Password is required for EAP-MD5 authentication ... You can't use encrypted passwords with EAP-MD5. http://deployingradius.com/documents/protocols/compatibility.html Ivan Kalik Kalik Informatika ISP Thanks Ivan! So what default eap type should I use in mixed environment (I mean: Linux and Windows Clientes)? TIA -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I can't get 'access-accept' from Linux clients
Yes, but my beloved boss want to use encrypted password in ldap :( 2008/1/11, [EMAIL PROTECTED] [EMAIL PROTECTED]: Store cleartext passwords and all eap types will work. Real problem is the encrypted password not the eap type. Ivan Kalik Kalik Informatika ISP Dana 11/1/2008, Sergio Belkin [EMAIL PROTECTED] piše: 2008/1/10, Ivan Kalik [EMAIL PROTECTED]: ... rlm_ldap: Added password {SSHA}F8XliBuxscoShNf0k7RxlC7niB7ISswp in check items ... rlm_eap_md5: User-Password is required for EAP-MD5 authentication ... You can't use encrypted passwords with EAP-MD5. http://deployingradius.com/documents/protocols/compatibility.html Ivan Kalik Kalik Informatika ISP Thanks Ivan! So what default eap type should I use in mixed environment (I mean: Linux and Windows Clientes)? TIA -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I can't get 'access-accept' from Linux clients
[EMAIL PROTECTED] wrote: Store cleartext passwords and all eap types will work. Real problem is the encrypted password not the eap type. Ivan Kalik Kalik Informatika ISP Dana 11/1/2008, Sergio Belkin [EMAIL PROTECTED] piše: 2008/1/10, Ivan Kalik [EMAIL PROTECTED]: ... rlm_ldap: Added password {SSHA}F8XliBuxscoShNf0k7RxlC7niB7ISswp in check items ... rlm_eap_md5: User-Password is required for EAP-MD5 authentication ... You can't use encrypted passwords with EAP-MD5. http://deployingradius.com/documents/protocols/compatibility.html Ivan Kalik Kalik Informatika ISP Thanks Ivan! So what default eap type should I use in mixed environment (I mean: Linux and Windows Clientes)? EAP-TTLS with PAP inner encryption. Though you'd need to use SecureW2 or the Open SEA supplicant for the windows side. Otherwise you'd need NT-Hashes for MSChap based methods, or the password stored in the clear. TIA -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I can't get 'access-accept' from Linux clients
Sergio Belkin wrote: EAP-TTLS with PAP inner encryption. But is is possible configure that so? If I tried default_eap_type = pap and radius didn't start. PAP is not an EAP type. The documentation makes this clear: # If the request does not contain an EAP # conversation, then this configuration entry # is ignored. In fact, you shouldn't have to do *anything* for PAP to work inside of a TTLS tunnel. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I can't get 'access-accept' from Linux clients
2008/1/11, Arran Cudbard-Bell [EMAIL PROTECTED]: [EMAIL PROTECTED] wrote: Store cleartext passwords and all eap types will work. Real problem is the encrypted password not the eap type. Ivan Kalik Kalik Informatika ISP Dana 11/1/2008, Sergio Belkin [EMAIL PROTECTED] piše: 2008/1/10, Ivan Kalik [EMAIL PROTECTED]: ... rlm_ldap: Added password {SSHA}F8XliBuxscoShNf0k7RxlC7niB7ISswp in check items ... rlm_eap_md5: User-Password is required for EAP-MD5 authentication ... You can't use encrypted passwords with EAP-MD5. http://deployingradius.com/documents/protocols/compatibility.html Ivan Kalik Kalik Informatika ISP Thanks Ivan! So what default eap type should I use in mixed environment (I mean: Linux and Windows Clientes)? EAP-TTLS with PAP inner encryption. But is is possible configure that so? If I tried default_eap_type = pap and radius didn't start. In fact in Fedora 8 I have configured PAP as inner Authentication (Wireless Network Secrets Required dialog box) with wpa_supplicant running. Though you'd need to use SecureW2 or the Open SEA supplicant for the windows side. Sure, i use securew3 for windows clients. Otherwise you'd need NT-Hashes for MSChap based methods, or the password stored in the clear. Last option is not suitable for :( TIA -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I can't get 'access-accept' from Linux clients
Sergio Belkin wrote: Alan, Thanks for clear up the confusion about EAP and PAP. But still I don't understand this: Now I have a windows client working using securew2 with PAP. If PAP is not into the tunnel Then you are not using securew2. When you use TTLS + PAP, the passwords go in the tunnel. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I can't get 'access-accept' from Linux clients
2008/1/11, Alan DeKok [EMAIL PROTECTED]: Sergio Belkin wrote: EAP-TTLS with PAP inner encryption. But is is possible configure that so? If I tried default_eap_type = pap and radius didn't start. PAP is not an EAP type. The documentation makes this clear: # If the request does not contain an EAP # conversation, then this configuration entry # is ignored. In fact, you shouldn't have to do *anything* for PAP to work inside of a TTLS tunnel. Alan DeKok. - Alan, Thanks for clear up the confusion about EAP and PAP. But still I don't understand this: Now I have a windows client working using securew2 with PAP. If PAP is not into the tunnel does mean that passwords goes unencrypted? TIA -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I can't get 'access-accept' from Linux clients
Hi, I can't still figure it out why I can't access from Linux clients. I use version 1.1.7 of freeradius. Linux client is a Fedora 8 system. I use Freeradius+eap+ttls. Users accounts are stored in a LDAP server. My eap.conf is: eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no md5 { } tls { certificate_file = /etc/pki/tls/certs/spectrum.xp-crt.pem private_key_file = /etc/pki/tls/certs/spectrum.xp-key.pem CA_file = /etc/pki/tls/certs/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random fragment_size = 1024 include_length = yes copy_request_to_tunnel = no use_tunneled_reply = no } ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no } mschapv2 { } } EOF These are debugging messages: rad_recv: Access-Request packet from host 10.30.1.151:2048, id=0, length=125 User-Name = jsmith NAS-IP-Address = 10.30.1.151 Called-Station-Id = 000625f17036 Calling-Station-Id = 000e35bf5118 NAS-Identifier = 000625f17036 NAS-Port = 54 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020b016d6261726265 Message-Authenticator = 0x05f08581315f74a9365956e711d1adec Processing the authorize section of radiusd.conf modcall: entering group authorize for request 78 modcall[authorize]: module preprocess returns ok for request 78 rlm_eap: EAP packet type response id 0 length 11 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 78 modcall[authorize]: module files returns notfound for request 78 rlm_ldap: - authorize rlm_ldap: performing user authorization for jsmith radius_xlat: '(uid=jsmith)' radius_xlat: 'ou=people,dc=foofoo,dc=edu' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,dc=foofoo,dc=edu, with filter (uid=jsmith) request done: ld 0x557c59c0 msgid 91 rlm_ldap: checking if remote access for jsmith is allowed by radiusAllowed rlm_ldap: Added password {SSHA}F8XliBuxscoShNf0k7RxlC7niB7ISswp in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user jsmith authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 78 rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module pap returns noop for request 78 modcall: leaving group authorize (returns updated) for request 78 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 78 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 78 modcall: leaving group authenticate (returns handled) for request 78 Sending Access-Challenge of id 0 to 10.30.1.151 port 2048 EAP-Message = 0x010100061520 Message-Authenticator = 0x State = 0xfc48a9d073781d46b58418c4b4cd9827 Finished request 78 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.30.1.151:2048, id=0, length=267 User-Name = jsmith NAS-IP-Address = 10.30.1.151 Called-Station-Id = 000625f17036 Calling-Station-Id = 000e35bf5118 NAS-Identifier = 000625f17036 NAS-Port = 54 Framed-MTU = 1400 State = 0xfc48a9d073781d46b58418c4b4cd9827 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020100871500160301007c01780301478642113f068a6df0132c744c49958b45592615abb6622beddf19a8fa52510f20fd4cbc7f733120101175d6dd7f27f2585364c73af2b4d0f65332531e8c2d3c4b003000390038003500160013000a00330032002f006600050004006300620015001200090065006400140011000800060003020100 Message-Authenticator = 0xdfd8574e151c9d725b98e1d9f907aff5 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 79 modcall[authorize]: module preprocess returns ok for request 79 rlm_eap: EAP packet type response id 1 length 135 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 79 modcall[authorize]: module files returns notfound for request 79 rlm_ldap: - authorize rlm_ldap: performing user authorization for jsmith radius_xlat:
Re: I can't get 'access-accept' from Linux clients
Hi, Hi, I can't still figure it out why I can't access from Linux clients. I use version 1.1.7 of freeradius. Linux client is a Fedora 8 system. what is the linux client config? i see the following in your debug rlm_eap: Request found, released from the list rlm_eap: EAP/md5 rlm_eap: processing type md5 rlm_eap_md5: User-Password is required for EAP-MD5 authentication rlm_eap: Handler failed in EAP/md5 rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid for request 84 modcall: leaving group authenticate (returns invalid) for request 84 auth: Failed to validate the user. i would also advise that you upgrade to 2.0.0 - not only could this issue be resolves anyway - its a hell of a lof easier to debug - far less EAP messages! alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: I can't get 'access-accept' from Linux clients
... rlm_ldap: Added password {SSHA}F8XliBuxscoShNf0k7RxlC7niB7ISswp in check items ... rlm_eap_md5: User-Password is required for EAP-MD5 authentication ... You can't use encrypted passwords with EAP-MD5. http://deployingradius.com/documents/protocols/compatibility.html Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html