Re: EAP-TTLS outer identity & accounting
I can also vouch for freeradius 1.0.5 after building & retro-fitting
my configuration to it. I'll probably just downgrade to an earlier
1.1.x build, since I haven't seen any major security
vulnerabilities/
fixes since the early 1.0.x builds.
On Tue, 20 Mar 2007 16:53:26 -0500 [EMAIL PROTECTED] wrote:
>Hi,
>
>> It worked for me right out of the box at one time, too. I have a
>> feeling it was using either freeradius 1.1.3 or 1.0.3 (or
>whatever
>> FC2 came pre-packaged with). I'll probably test my configuration
>
>> against
>> an earlier version later & see if I can establish it as a "bug".
>The
>> version I've been trying to coerce into working is 1.1.4, which
>was
>> compiled from source.
>
>confirm tha EAP-TTLS userid's used to work with freeradius (1.0.5
>era
>through to 1.1.3) but then only anonymous was seen. i've been
>following
>this User-Name = %{User-Name} etc thread with interest
>
>alan
>-
>List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html
--
Click for free info on adult education and start making $150k/ year
http://tagline.hushmail.com/fc/CAaCXv1S62Vv8OSHDKTNmFu0PsjugCd8/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS outer identity & accounting
Hi, > Ouch. It needs fixing, then. I'm at a conference this week, so I'll > see what I can do in a few days. > > It would be nice to have regression tests for the server... certainly for eg the glibc double-free issue that has hitbut otherwise there are so many different permutations and combinations that really thats what the end-user is for ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS outer identity & accounting
[EMAIL PROTECTED] wrote:
> confirm tha EAP-TTLS userid's used to work with freeradius (1.0.5 era
> through to 1.1.3) but then only anonymous was seen. i've been following
> this User-Name = %{User-Name} etc thread with interest
Ouch. It needs fixing, then. I'm at a conference this week, so I'll
see what I can do in a few days.
It would be nice to have regression tests for the server...
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS outer identity & accounting
Hi,
> It worked for me right out of the box at one time, too. I have a
> feeling it was using either freeradius 1.1.3 or 1.0.3 (or whatever
> FC2 came pre-packaged with). I'll probably test my configuration
> against
> an earlier version later & see if I can establish it as a "bug". The
> version I've been trying to coerce into working is 1.1.4, which was
> compiled from source.
confirm tha EAP-TTLS userid's used to work with freeradius (1.0.5 era
through to 1.1.3) but then only anonymous was seen. i've been following
this User-Name = %{User-Name} etc thread with interest
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS outer identity & accounting
On Tue, 20 Mar 2007 09:38:25 -0500 Alan DeKok
<[EMAIL PROTECTED]> wrote:
>Sam Schultz wrote:
>>
>> I have set a DEFAULT entry that sets the User-Name attribute via
>> ':=', but I still end up with two User-Name attributes
>(anonymous
>> identity & real identity). This is especially strange, since
>> use_tunneled_reply & copy_request_to_tunnel are both enabled as
>> well.
>
> Then it may be a bug. My tests look like they work, so I'm not
>sure
>what the difference is with your configuration.
It worked for me right out of the box at one time, too. I have a
feeling it was using either freeradius 1.1.3 or 1.0.3 (or whatever
FC2 came pre-packaged with). I'll probably test my configuration
against
an earlier version later & see if I can establish it as a "bug". The
version I've been trying to coerce into working is 1.1.4, which was
compiled from source.
>
>> If I understand correctly, := should replace the anonymous
>(first)
>> User-Name value with the real (second) value permitting they are
>in
>> the same session. Upon looking back at the debug output, it
>looks
>> like
>> the tunneled request is actually handled as if it were a
>seperate
>> request than the one containing it (request->eap module-(unpack)-
>
>>> new request).
>
> Yes.
>
>> This would explain why two User-Name attributes are showing up
>in
>> the
>> final response.
>
> Not entirely. If you have use_tunneled_reply = yes, AND you're
>doing:
>
>DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1
> User-Name := `%{User-Name}`
>
> Then that name should be copied to the outer tunnel, AND the
>outer
>tunnel SHOULD NOT add the "anonymous" username in the reply,
>because it
>sees the User-Name copied from the tunnel. See
>src/modules/rlm_eap/*.c
I may do this as a last resort. In my experience, code dependent
on openssl tends to be ugly & hard to follow/understand.
>
>> P.S. A link to a list of known-good access points, or personal
>> recommendations on access points would also be appreciated.
>
> See the Wiki. If you have good experiences, add them to the
>Wiki.
>
>> We will be replacing a few 3com APs soon because they don't
>> play well with...well...ANYTHING. One (3com OfficeConnect)
>> doesn't even have options for radius account, even though
>> it advertises the feature right on the box.
>
> Return them as broken.
I planned on it as soon as I get replacements. It doesn't look like
3com even has a bug reporting system of any kind. Well, at least
not for customers who don't have a support contract with them,
anyway.
>
> Cisco AP350's seems to be pretty solid.
>
> Alan DeKok.
>--
> http://deployingradius.com - The web site of the book
> http://deployingradius.com/blog/ - The blog
>-
>List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html
--
Click for free info on adult education and start making $150k/ year
http://tagline.hushmail.com/fc/CAaCXv1S62SI4Y7VFkw7r5uPb1smYR4R/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS outer identity & accounting
Sam Schultz wrote:
>
> I have set a DEFAULT entry that sets the User-Name attribute via
> ':=', but I still end up with two User-Name attributes (anonymous
> identity & real identity). This is especially strange, since
> use_tunneled_reply & copy_request_to_tunnel are both enabled as
> well.
Then it may be a bug. My tests look like they work, so I'm not sure
what the difference is with your configuration.
> If I understand correctly, := should replace the anonymous (first)
> User-Name value with the real (second) value permitting they are in
> the same session. Upon looking back at the debug output, it looks
> like
> the tunneled request is actually handled as if it were a seperate
> request than the one containing it (request->eap module-(unpack)-
>> new request).
Yes.
> This would explain why two User-Name attributes are showing up in
> the
> final response.
Not entirely. If you have use_tunneled_reply = yes, AND you're doing:
DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1
User-Name := `%{User-Name}`
Then that name should be copied to the outer tunnel, AND the outer
tunnel SHOULD NOT add the "anonymous" username in the reply, because it
sees the User-Name copied from the tunnel. See src/modules/rlm_eap/*.c
> P.S. A link to a list of known-good access points, or personal
> recommendations on access points would also be appreciated.
See the Wiki. If you have good experiences, add them to the Wiki.
> We will be replacing a few 3com APs soon because they don't
> play well with...well...ANYTHING. One (3com OfficeConnect)
> doesn't even have options for radius account, even though
> it advertises the feature right on the box.
Return them as broken.
Cisco AP350's seems to be pretty solid.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS outer identity & accounting
Sam Schultz wrote: > P.S. A link to a list of known-good access points, or personal > recommendations on access points would also be appreciated. > We will be replacing a few 3com APs soon because they don't > play well with...well...ANYTHING. One (3com OfficeConnect) > doesn't even have options for radius account, even though > it advertises the feature right on the box. I would recommend Cisco Aironet. Regards, Thor. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS outer identity & accounting
After alot of experimenting & researching, I still haven't found a solution to the TTL anonymous outer identity being used for accounting. I have set a DEFAULT entry that sets the User-Name attribute via ':=', but I still end up with two User-Name attributes (anonymous identity & real identity). This is especially strange, since use_tunneled_reply & copy_request_to_tunnel are both enabled as well. If I understand correctly, := should replace the anonymous (first) User-Name value with the real (second) value permitting they are in the same session. Upon looking back at the debug output, it looks like the tunneled request is actually handled as if it were a seperate request than the one containing it (request->eap module-(unpack)- >new request). This would explain why two User-Name attributes are showing up in the final response. Is there any way to discard the first (anonymous) entry via a module or other method without hacking FR code? Surely someone has this working. My setup is just basic TTLS-PAP auth'ing against LDAP. P.S. A link to a list of known-good access points, or personal recommendations on access points would also be appreciated. We will be replacing a few 3com APs soon because they don't play well with...well...ANYTHING. One (3com OfficeConnect) doesn't even have options for radius account, even though it advertises the feature right on the box. -- Click for free info on criminal justice degrees and make $150K/ year http://tagline.hushmail.com/fc/CAaCXv1S4xqOnm2zOGqjRJ3VXHodSBUi/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : EAP-TTLS outer identity & accounting
On Thu, 15 Mar 2007 10:51:17 -0500 Alan DeKok
<[EMAIL PROTECTED]> wrote:
>Sam Schultz wrote:
>> An entry like:
>>
>> DEFAULT Realm == "test", Autz-Type := sql-test
>> User-Name = "%{User-Name}"
>
> Please read "man users" for the definition and meaning of
>operators.
>
> You want:
>
>DEFAULT ...
> User-Name := ...
Actually, the example above was a typo. The 'User-Name =' line was
'User-Name :=' during testing, which is the part that is confusing,
since the documentation states:
Attribute := Value
Always matches as a check item, and replaces in the
configuration
items any attribute of the same name. If no attribute of that
name appears in the request, then this attribute is added.
As a reply item, it has an identical meaning, but for the
reply
items, instead of the request items.
According to this passage from the operators web page
(http://wiki.freeradius.org/Operators), I would expect the original
'[EMAIL PROTECTED]' entry to be replaced by '[EMAIL PROTECTED]', and not be
appended to the list like what is apparently happening.
>...
>> Followed by Accounting-Requests that still contain the anonymous
>
>> entry,
>> so it is still using the oldest (first?) User-Name attribute. Is
>
>> there any way at all to REMOVE already set attributes so they
>aren't
>> re-sent to the NAS?
>
> The documentation helps in these matters.
The documentation helps ONLY if the documentation is consistent with
the application's design, and ONLY if the NASes at the other end
adhere
to the RADIUS standard. Of course, I would chalk this up to a
mistake in
my configuration before asserting the former. The output of fr's
output
seems to rule out the latter.
>
> Alan DeKok.
>--
> http://deployingradius.com - The web site of the book
> http://deployingradius.com/blog/ - The blog
>-
>List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html
--
Click for free info on online masters degrees and make $150K/ year
http://tagline.hushmail.com/fc/CAaCXv1S74oLy1CA3gAXs15s3QyaHS8N/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : EAP-TTLS outer identity & accounting
Sam Schultz wrote:
> An entry like:
>
> DEFAULT Realm == "test", Autz-Type := sql-test
> User-Name = "%{User-Name}"
Please read "man users" for the definition and meaning of operators.
You want:
DEFAULT ...
User-Name := ...
...
> Followed by Accounting-Requests that still contain the anonymous
> entry,
> so it is still using the oldest (first?) User-Name attribute. Is
> there any way at all to REMOVE already set attributes so they aren't
> re-sent to the NAS?
The documentation helps in these matters.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : EAP-TTLS outer identity & accounting
An entry like:
DEFAULT Realm == "test", Autz-Type := sql-test
User-Name = "%{User-Name}"
does add a new User-Name attribute with the proper value, but I
need a
way to delete the anonymous@ entry still, because I Access-Accepts
like
this:
Sending Access-Accept of id 134 to 192.168.0.5 port 5190
User-Name := "[EMAIL PROTECTED]"
User-Name := "[EMAIL PROTECTED]"
Followed by Accounting-Requests that still contain the anonymous
entry,
so it is still using the oldest (first?) User-Name attribute. Is
there any way at all to REMOVE already set attributes so they aren't
re-sent to the NAS?
For that matter, shouldn't the "use_tunneled_reply = yes" in the
ttls
module configuration have kept me from having this problem?
I also have copy_request_to_tunnel set to yes, but I doubt that
should
be causing a problem like this.
On Wed, 14 Mar 2007 13:03:21 -0500 Sam Schultz
<[EMAIL PROTECTED]> wrote:
>On Wed, 14 Mar 2007 11:25:20 -0500 Thibault Le Meur
><[EMAIL PROTECTED]> wrote:
>>> -Message d'origine-
>>> De :
>>> [EMAIL PROTECTED]
>>> radius.org
>>> [mailto:[EMAIL PROTECTED]
>>> sts.freeradius.org] De la part de Sam Schultz
>>> Envoyé : mercredi 14 mars 2007 17:13
>>> À : freeradius-users@lists.freeradius.org
>>> Objet : Re: EAP-TTLS outer identity & accounting
>>>
>>>
>>>
>>>
>>> On Tue, 13 Mar 2007 13:15:52 -0500 Alan DeKok
>>> <[EMAIL PROTECTED]> wrote:
>>> >Sam Schultz wrote:
>>> >>
>>> >> This should be solvable by adding something like
>>> >> 'User-Name = %{User-Name}' to the DEFAULT entries in the
>>users
>>> >file,
>>> >> correct?
>>> >
>>> > Yes.
>>>
>>> One of my users file DEFAULT entries look like this:
>>>
>>> DEFAULT Realm == "test", Autz-Type := sql-test, User-
>>Name =
>>> "%u"
>>>
>>> However, FreeRADIUS tells me this:
>>>
>>> Error: Invalid operator for item User-Name: reverting to '=='
>>>
>>> I assume I'm not supposed to forcibly change User-Name, so what
>>> attribute would I set to return the correct username to the
>NAS?
>>
>>> I know there is a run-time variable %(reply:User-Name}, would I
>>> need to somehow update it with the correct value for User-Name
>>> instead?
>>
>>Yes, by simply adding the User-Name = XXX to the reply items
>(that
>>is to say
>>not on the first line). Try something like this:
>
>This didn't make much sense at first, but I think I understand it
>now.
>What you're saying is that the first line is only for check items,
>which is why I couldn't set User-Name there. The second line and
>beyond
>then are for, what? Reply items ONLY, or check & reply items? Is
>this
>documented anywhere? I just did a quick check through the
>freeradius
>doc directory, and only found a rlm_fastusers document which didn't
>have anything to say about format restrictions.
>
>>
>>DEFAULT Realm == "test", Autz-Type := sql-test
>> User-Name=`%{User-Name}`
>>
>>HTH,
>>Thibault
>>
>>
>>
>>-
>>List info/subscribe/unsubscribe? See
>>http://www.freeradius.org/list/users.html
>
>--
>Click for free info on online degrees and make $150K/ year
>http://tagline.hushmail.com/fc/CAaCXv1S7YfNF4AEzCH38YxSm8GfpqO2/
>
>-
>List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html
--
Click for free info on getting an MBA and make $200K/ year
http://tagline.hushmail.com/fc/CAaCXv1I825CIGoNlzaFbOgSCtxLP6kM/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : EAP-TTLS outer identity & accounting
Sam Schultz wrote: > What you're saying is that the first line is only for check items, > which is why I couldn't set User-Name there. The second line and > beyond > then are for, what? Reply items ONLY, or check & reply items? Is > this > documented anywhere? In the comments in the "users" file, and in "man rlm_files", which is the man page for the module implementing the "users" file. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : EAP-TTLS outer identity & accounting
On Wed, 14 Mar 2007 11:25:20 -0500 Thibault Le Meur
<[EMAIL PROTECTED]> wrote:
>> -Message d'origine-
>> De :
>> [EMAIL PROTECTED]
>> radius.org
>> [mailto:[EMAIL PROTECTED]
>> sts.freeradius.org] De la part de Sam Schultz
>> Envoyé : mercredi 14 mars 2007 17:13
>> À : freeradius-users@lists.freeradius.org
>> Objet : Re: EAP-TTLS outer identity & accounting
>>
>>
>>
>>
>> On Tue, 13 Mar 2007 13:15:52 -0500 Alan DeKok
>> <[EMAIL PROTECTED]> wrote:
>> >Sam Schultz wrote:
>> >>
>> >> This should be solvable by adding something like
>> >> 'User-Name = %{User-Name}' to the DEFAULT entries in the
>users
>> >file,
>> >> correct?
>> >
>> > Yes.
>>
>> One of my users file DEFAULT entries look like this:
>>
>> DEFAULT Realm == "test", Autz-Type := sql-test, User-
>Name =
>> "%u"
>>
>> However, FreeRADIUS tells me this:
>>
>> Error: Invalid operator for item User-Name: reverting to '=='
>>
>> I assume I'm not supposed to forcibly change User-Name, so what
>> attribute would I set to return the correct username to the NAS?
>
>> I know there is a run-time variable %(reply:User-Name}, would I
>> need to somehow update it with the correct value for User-Name
>> instead?
>
>Yes, by simply adding the User-Name = XXX to the reply items (that
>is to say
>not on the first line). Try something like this:
This didn't make much sense at first, but I think I understand it
now.
What you're saying is that the first line is only for check items,
which is why I couldn't set User-Name there. The second line and
beyond
then are for, what? Reply items ONLY, or check & reply items? Is
this
documented anywhere? I just did a quick check through the freeradius
doc directory, and only found a rlm_fastusers document which didn't
have anything to say about format restrictions.
>
>DEFAULT Realm == "test", Autz-Type := sql-test
> User-Name=`%{User-Name}`
>
>HTH,
>Thibault
>
>
>
>-
>List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html
--
Click for free info on online degrees and make $150K/ year
http://tagline.hushmail.com/fc/CAaCXv1S7YfNF4AEzCH38YxSm8GfpqO2/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : EAP-TTLS outer identity & accounting
> -Message d'origine-
> De :
> [EMAIL PROTECTED]
> radius.org
> [mailto:[EMAIL PROTECTED]
> sts.freeradius.org] De la part de Sam Schultz
> Envoyé : mercredi 14 mars 2007 17:13
> À : freeradius-users@lists.freeradius.org
> Objet : Re: EAP-TTLS outer identity & accounting
>
>
>
>
> On Tue, 13 Mar 2007 13:15:52 -0500 Alan DeKok
> <[EMAIL PROTECTED]> wrote:
> >Sam Schultz wrote:
> >>
> >> This should be solvable by adding something like
> >> 'User-Name = %{User-Name}' to the DEFAULT entries in the users
> >file,
> >> correct?
> >
> > Yes.
>
> One of my users file DEFAULT entries look like this:
>
> DEFAULT Realm == "test", Autz-Type := sql-test, User-Name =
> "%u"
>
> However, FreeRADIUS tells me this:
>
> Error: Invalid operator for item User-Name: reverting to '=='
>
> I assume I'm not supposed to forcibly change User-Name, so what
> attribute would I set to return the correct username to the NAS?
> I know there is a run-time variable %(reply:User-Name}, would I
> need to somehow update it with the correct value for User-Name
> instead?
Yes, by simply adding the User-Name = XXX to the reply items (that is to say
not on the first line). Try something like this:
DEFAULT Realm == "test", Autz-Type := sql-test
User-Name=`%{User-Name}`
HTH,
Thibault
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS outer identity & accounting
On Tue, 13 Mar 2007 13:15:52 -0500 Alan DeKok
<[EMAIL PROTECTED]> wrote:
>Sam Schultz wrote:
>>
>> This should be solvable by adding something like
>> 'User-Name = %{User-Name}' to the DEFAULT entries in the users
>file,
>> correct?
>
> Yes.
One of my users file DEFAULT entries look like this:
DEFAULT Realm == "test", Autz-Type := sql-test, User-Name =
"%u"
However, FreeRADIUS tells me this:
Error: Invalid operator for item User-Name: reverting to '=='
I assume I'm not supposed to forcibly change User-Name, so what
attribute would I set to return the correct username to the NAS?
I know there is a run-time variable %(reply:User-Name}, would I
need to somehow update it with the correct value for User-Name
instead?
This question seems to have been asked several times on the list
before, but I have yet to find a definitive answer to it.
>
> Alan DeKok.
>--
> http://deployingradius.com - The web site of the book
> http://deployingradius.com/blog/ - The blog
>-
>List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html
--
Click for free info on online degrees and make $150K/ year
http://tagline.hushmail.com/fc/CAaCXv1WBS8PxpFqA1erqcUaYXrLCjjS/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS outer identity & accounting
Sam Schultz wrote:
>
> This should be solvable by adding something like
> 'User-Name = %{User-Name}' to the DEFAULT entries in the users file,
> correct?
Yes.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS outer identity & accounting
On Tue, 13 Mar 2007 11:58:51 -0500 Alan DeKok
<[EMAIL PROTECTED]> wrote:
>Sam Schultz wrote:
>> I'm currently using EAP-TTLS & PAP (via SecureW2) to authorize &
>> authenticate wireless clients against specific realms. Users are
>> able to authorize & authenticate properly, but the username in
>> incoming accounting replies come in as 'anonymous@'.
>
> You can set "User-Name" in the Access-Accept, and the NAS should
> use that in Accounting-Requests.
>
This should be solvable by adding something like
'User-Name = %{User-Name}' to the DEFAULT entries in the users file,
correct?
>> I had this spitting out proper accounting information before,
>> and haven't changed any configuration options since putting it
>> into production. The only conclusions I can come up with are:
>>
>> 1) The access points are buggy (3com OfficeConnects)
>
> No.
>
>> 2) FreeRADIUS doesn't keep track of connections properly --
>either
>>because it doesn't bother to replace anonymous entries with
>the
>>previously seen identity for the given ID, or I haven't
>>configured it to do so.
>
> No.
>
> The problem is that the supplicant is sending "[EMAIL PROTECTED]" as
>the
>User-Name.
>
> Alan DeKok.
>--
> http://deployingradius.com - The web site of the book
> http://deployingradius.com/blog/ - The blog
>-
>List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html
--
Click for free info on online degrees and make $150K/ year
http://tagline.hushmail.com/fc/CAaCXv1S7YhBAO0BOTJUnxxWHHvlnY0O/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS outer identity & accounting
Sam Schultz wrote: > I'm currently using EAP-TTLS & PAP (via SecureW2) to authorize & > authenticate wireless clients against specific realms. Users are > able to authorize & authenticate properly, but the username in > incoming accounting replies come in as 'anonymous@'. You can set "User-Name" in the Access-Accept, and the NAS should use that in Accounting-Requests. > I had this spitting out proper accounting information before, > and haven't changed any configuration options since putting it > into production. The only conclusions I can come up with are: > > 1) The access points are buggy (3com OfficeConnects) No. > 2) FreeRADIUS doesn't keep track of connections properly -- either >because it doesn't bother to replace anonymous entries with the >previously seen identity for the given ID, or I haven't >configured it to do so. No. The problem is that the supplicant is sending "[EMAIL PROTECTED]" as the User-Name. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
