-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 20:15 -0500 06/02/2006, Julian Y. Koh wrote: >They said that this inner/outer >identity thing will be fixed in a build of 5.4 (we're running an interim >build of 5.3 that has the fix for the Windows password change issue). We >should get the build in the next couple of weeks, just in time for our >planned rollout. I was told that SBR will always record the inner identity >in its accounting records and ignore whatever's in the outer identity. > >On a side note, there's another issue where if you have SBR sending >accounting to an SQL database, the timestamps are 30 days in the past. That >will also be fixed in this future build of 5.4. > >So, the build they deliver will definitely have those 2 fixes in it. I'll >let everyone know how it goes after we install the upgrade.
Going back again to this old thread...figured an update would be appropriate at this point in time. We got the new 5.4 build from Funk/Juniper and tried to install it on 6/18. The 3 bugs that were supposed to have been fixed, just for review, were: 1.) inner/outer identity logging in accounting records 2.) timestamps in SQL accounting records 3.) another crashing bug The problem with 5.4 as opposed to 5.3 is that 5.4 removes the "NT Domain" login method, leaving us only with the "Windows Domain" method. Unfortunately, this broke logins from our VPN using the Cisco IPSec client, since that's a PAP login as opposed to MS-CHAPv2. PAP logins get directed to the NT Domain login method, whereas MS-CHAPv2 logins go through the Windows Domain method. Apologies in advance - this is all rather convoluted. SBR is running on an Active Directory Domain Controller, since this was a requirement for MS-CHAP compatibility back in the version 3 and 4 days. Apparently now that's no longer a requirement, but if you want to process those PAP logins, you need to grant the users the right to log in locally on the server that you're running SBR. Obviously this is not cool for a domain controller, and we haven't had time to play around with demoting the server from a domain controller to a domain member server. So I went back to the test build of 5.3 that we had before and tried using the new sqlacct.dll file that I had been given, so at least we fixed the timestamps on the SQL accounting records. But we're still stuck with the problem of inner/outer identity logging. Now we find out from Funk that their fix in 5.4 still isn't working like they wanted, with a final fix scheduled for Q4 2006. This is obviously totally not cool, and will probably force us to jumpstart our freeradius efforts. The pain in the butt is that we just did our official rollout of the 802.1X/WPA2 wireless this week, and all the docs point to verifying the cert of the SBR server. Not an insurmountable deal to fix, but it looks bad if we have to switch. OTOH, switching now will be the best time to do it before we get a lot of people using the service, and it would be better than having people masquerade as other users in the accounting records.... -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.6 (Build 6060) Comment: <http://bt.ittns.northwestern.edu/julian/pgppubkey.html> iQA/AwUBRLgEmg5UB5zJHgFjEQLeXwCgjuv1tioVJzh/Lm05tDzDqV5mqOAAoLwE WLOD+++p27BMypMW4cFhUPM8 =xA66 -----END PGP SIGNATURE----- -- Julian Y. Koh <mailto:[EMAIL PROTECTED]> Network Engineer <phone:847-467-5780> Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
