<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<TITLE>Message</TITLE>
<META content="MSHTML 6.00.2900.2995" name=GENERATOR></HEAD>
<BODY>
<DIV><SPAN class=783585216-01122006><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<BLOCKQUOTE dir=ltr
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
<DIV></DIV>
<DIV class=OutlookMessageHeader lang=fr dir=ltr align=left><FONT face=Tahoma
size=2>-----Message d'origine-----<BR><B>De :</B>
freeradius-users-bounces+thibault.lemeur=supelec.fr@lists.freeradius.org
[mailto:freeradius-users-bounces+thibault.lemeur=supelec.fr@lists.freeradius.org]
<B>De la part de</B> jerrrry@voila.fr<BR><B>Envoyé :</B> vendredi 1
décembre 2006 17:16<BR><B>À :</B>
freeradius-users@lists.freeradius.org<BR><B>Objet :</B> differentiating
radius attribute<BR><BR></FONT></DIV>
<P><FONT face=Arial color=#0000ff size=2></FONT><FONT face=Arial color=#0000ff
size=2></FONT><FONT face=Arial color=#0000ff size=2></FONT><BR>Hi
everybody,<BR></P>
<P>I'm using freeradius to authenticate and authorize users to cisco
switches/routers/FW.<BR>My issue is that i want to do aaa for 3 things on the
same device: device administrators login (telnet), for 802.1x EAP/MD5 (, and
to manage firewall FWSM ACLs (radius attribute in the response:
filter-id=acl_name). </P>
<P>My question is how to differentiate this 3 needs by a radius attribute in
the request, to be able to send in the response only the good radius
authorization attribute depending on aaa type asking. </P>
<P><FONT face=Arial color=#0000ff size=2></FONT> </P>
<P><SPAN class=783585216-01122006><FONT face=Arial color=#0000ff size=2>Could
you run the radius server in debug mode (radius -X), and check what Attributes
are present in the Request. May be something like Service-Type,
Framed-Protocol, and NAS-Port could be used.</FONT></SPAN></P>
<P><SPAN class=783585216-01122006><FONT face=Arial color=#0000ff size=2>For
instance this is a request from a PPP server:</FONT></SPAN></P>
<P><SPAN class=783585216-01122006><FONT face=Arial color=#0000ff
size=2>rad_recv: Access-Request packet from host A.B.C.D:32776, id=171,
length=136<BR> Service-Type =
Framed-User<BR> Framed-Protocol =
PPP<BR> User-Name =
"MyLogin"<BR> MS-CHAP-Challenge =
0xXXXXXX<BR> MS-CHAP2-Response =
0xXXXXXXXX<BR> NAS-IP-Address
= X.Y.Z.T<BR> NAS-Port =
0<BR></FONT></SPAN></P>
<P><SPAN class=783585216-01122006><FONT face=Arial color=#0000ff size=2>And
this is a request from a WiFi access (not on the same NAS
though):</FONT></SPAN></P>
<P><SPAN class=783585216-01122006><FONT face=Arial color=#0000ff
size=2>rad_recv: Access-Request packet from host A.B.C.D:1030, id=1,
length=213<BR> Message-Authenticator
= 0xXXXXXXXXXXXXXXXX<BR>
Service-Type = Framed-User<BR>
User-Name = "anonymous"<BR>
Framed-MTU = 1492<BR> State =
0xXXXXXXXXX<BR> Called-Station-Id =
"MACADDR:SSID"<BR>
Calling-Station-Id = "MACADDR"<BR>
NAS-Identifier = "AP_Name"<BR>
NAS-Port-Type = Wireless-802.11<BR>
Connect-Info = "802.11g"<BR>
EAP-Message = 0xXXXXXXXX<BR>
NAS-IP-Address = X.Y.Z.T<BR>
NAS-Port = 1<BR> NAS-Port-Id = "STA
port # 1"<BR></FONT></SPAN></P>
<P><SPAN class=783585216-01122006><FONT face=Arial color=#0000ff size=2>Check
also in your NAS setup if you can add specific attributes to the
Request depending on the service used.</FONT></SPAN></P>
<P><SPAN class=783585216-01122006><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </P>
<P><SPAN class=783585216-01122006><FONT face=Arial color=#0000ff
size=2>HTH,</FONT></SPAN></P>
<P><SPAN class=783585216-01122006><FONT face=Arial color=#0000ff
size=2>Thibault</P></FONT></SPAN></BLOCKQUOTE></BODY></HTML>