Problem with Cisco-AVPair

Guy Davies aguydavies at gmail.com
Thu Apr 6 14:59:45 CEST 2006 

I don't think you should be setting the Auth-Type.  Just let
FreeRADIUS work that out.  What are you doing with your Cisco AP?  Are
you doing PEAP/MS-CHAPv2?  If so, then you must have a User-Password
== "foo" in your user database and you *must not* set Auth-Type :=
EAP.

You should do as Sergio says and use == in your Cisco-AVPair check
item.  This is a comparison.

Rgds,

Guy

On 06/04/06, Antonio Matera <antonio.matera at create-net.it> wrote:
>  Hallo,
>  If I set Cisco-AVPair == "ssid=SSID1" in my user authentication, the
> authentication Fail with any ssid and user.
>  If I set Cisco-AVPair := "ssid=SSID1" my users are always authenticated.
>
>  Is there any other configuration to set in the radius or in the access
> point?
>
>  In my access request there is the AVPair attribute:
>
>
>  rad_recv: Access-Request packet from host 192.168.9.104:1645, id=19,
> length=166
>        User-Name = "TEST4"
>        Framed-MTU = 1400
>        Called-Station-Id = "0012.dacb.8420"
>        Calling-Station-Id = "000c.f135.f1ba"
>        Cisco-AVPair = "ssid=VLAN3"
>        Service-Type = Login-User
>        Message-Authenticator =
> 0xb2a3f1fd52d9d6ff9702cc8f1f480f46
>        EAP-Message = 0x020600060d00
>        NAS-Port-Type = Wireless-802.11
>        Cisco-NAS-Port = "260"
>        NAS-Port = 260
>        State = 0x0491685cf8ece3184d685dedfedbb3d4
>        NAS-IP-Address = 192.168.9.104
>        NAS-Identifier = "ap"
>
>
>  but I don't understand if it works...
>
>
>  Any idea?
>
>
>  Thanks
>
>
>  on 06/04/2006 11.39 Sergio Sagliocco said the following:
>  Hi
> I think you have to try in this way (for example):
> TEST4 Cisco-AVPair == "ssid=SSID1" , Auth-Type := EAP
>  Tunnel-Medium-Type = IEEE-802,
>  Tunnel-Private-Group-Id = 2,
>  Tunnel-Type = VLAN
> DEFAULT Auth-Type := Reject
>
> if uou want a password:
> TEST4 Cisco-AVPair == "ssid=SSID1" ,User-Password="XXXX", Auth-Type := EAP
>  Tunnel-Medium-Type = IEEE-802,
>  Tunnel-Private-Group-Id = 2,
>  Tunnel-Type = VLAN
> DEFAULT Auth-Type := Reject
>
> Regards
> sergio
>
> Antonio Matera wrote:
>
>
>  My goal is to have authenticate user only if the SSID is right!
> You know how can I do it?
>
> Thanks
> Antonio
>
> on 05/04/2006 17.33 Sergio Sagliocco said the following:
>
>
>  Hello
> your goal is authenticate users only if the SSID is rght or to have
> different EAP Authentication method based on SSID?
>
> regards
> sergio
>
>
> Antonio Matera wrote:
>
>
>
>  Hallo,
> thanks for the answer.
>
> With your solution my radius don't authenticate my users....
> Is my configuration correct or I need other change in my radius files?
>
> Thanks bye
>
> on 05/04/2006 15.27 Sergio Sagliocco said the following:
>
>
>
>  Hi
> I think you have to use == instead of :=
> For example:
>
> DEFAULT Cisco-AVPair == "ssid=testLEAP" , EAP-Type := Cisco-LEAP
>
> Regards
>
>
>
>
>  - List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
>
>
>
>
> ------------------------------------------------------------------------
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
>
>
> --
>
> ----------------------------------------------
> Antonio Matera
> CREATE-NET
> Via Solteri, 38 - 38100 Trento
> e-mail: antonio.matera at create-net.it
> phone: +39 0461 408400 ext. 305
> fax: +39 0461 421157
> www.create-net.org
> ----------------------------------------------
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>

More information about the Freeradius-Users mailing list