VSA and other attributes in Access-Accept

To: freeradius-users@lists.freeradius.org
Subject: VSA and other attributes in Access-Accept
From: Mohammed Petiwala <mhpetiwala@yahoo.com>
Date: Fri, 29 Sep 2006 11:48:42 -0700 (PDT)
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=UyEPZ9I4membtvhz8tCuBTbyzNYsyCVll8nwwTtp2ELNRVXYm5JeDhSzxooPXqpc5MTklxUpRB4WsFD6nc5nXOaykWPZP2ti05QN1yan51Sm0vrP+xFI+t5xQNbzWrSLXt8u9SIB5KycRWEt/S70p3oWQG7TY4UBOde4wxd/w2I= ;
Reply-to: FreeRadius users mailing list <freeradius-users@lists.freeradius.org>

Hi:
Could anyone please provide me some advice on my question below.
Currently I am seeing VSAs in my reply messages from freeRADIUS being passed in Access-Accept, Access-Challenge. I would like to limit certain VSAs to only Accepts, or Challenge.
Is this possible - because according to the RFCs for 3GPP/3GPP2 only some of them are possible in certain type of responses.
Thx.

Regards,
Mohammed.

Date: Thu, 30 Mar 2006 14:06:02 -0800 (PST)
From: Mohammed Petiwala <mhpetiwala@yahoo.com>
Subject: VSA and other attributes in Access-Accept
To: freeradius-users@lists.freeradius.org

Hi:
First thanks to the freeRADIUS team - this is one of the most flexibile and powerful AAA available...

I've 2 questions:
1. I've set up my clients to authenticate using EAP-TTLS with MSCHAPv2 as the inner authentication protocol. This works fine with the wpa_suppicant with intel 2200b/g as well as the Cisco Aironet 350. I've created my own dictionary file with VSAs that are useful for my NAS once Access-Accept is returned.
The 'users' file has the VSAs Attrib = Value listed after each user entry and I do see the attributes being returned correctly on Access-Accept. My question is (please correct me if I am wrong) - I see the VSAs being returned during the intermediate Access-Challenge messages too even before authentication is complete. Is this the normal behavior, is there a way to setup the freeRADIUS server so that the VSAs are only returned on Access-Accept and not during the Access-Challenge. The NAS does ignore the VSAs in any case during the challenge - but would be good if there was a way to limit the message size for the Access-Challenge messages (only if this is valid from RADIUS RFC perspective - if someone could clarify).

2. How can I set users in the 'users' file (an example would be very helpful if someone can send) so that some users are only allowed to authenticate using EAP-TTLS while others are only allowed to use PEAP. Once I create an entry into the users file (and both authentications are EAP types) - the user can authenticate using any eap type - I would like to limit this per user. Is it possible??
Thx.

Regards,
Mohammed.

All-new Yahoo! Mail - Fire up a more powerful email and get things done faster.

Previous by Date: Re: Login-Time and Session-Time Conflict
Next by Date: Re: Login-Time and Session-Time Conflict
Previous by Thread: RE: v1.1.3 - Logging Levels / Syslog / logging passwords
Next by Thread: VSA does not work when using PROXY
Freeradius-Users September 2006 archives indexes sorted by: [ thread ] [ subject ] [ author ] [ date ]
Freeradius-Users list archive Table of Contents
More information about the Freeradius-Users mailing list

This archive was generated by a fusion of Pipermail (Mailman edition) and MHonArc.