On Tue, Jan 4, 2011 at 2:40 PM, miha- <miha_zoubek@hotmail.com> wrote:
Currently, there is a password matching issue because the User-Password encoding is different during the Authentication from the Authorization. During the Authentication step, the Centile's radius client send a User-Password encrypted with the secret. But during the Authorization step, we don't expect the Radius server to check again this password (which is sent anyway, I don't know if this is a bug or if it is required by Eyebill...).
So they deliberately do NOT encrypt password with the secret? That's just silly. They need to fix it.
The Authorization request contains the attribute Acct-Status-Type with the value 17 that means "authorize only".
Shouldn't it be RADIUS Attribute 6, Service-Type? http://www.ietf.org/assignments/radius-types/radius-types.xml
It also contains the attribute Message-Authenticator with the digest value. So Freeradius should use those two attributes to accept or reject the request instead of the User-Name and User-Password.
If only "pap" is involved (which, from your debug log seems to be the case), you might be able to play with unlang and set Auth-Type := Accept for certain conditions (e.g. check whether Message-Authenticator exists, and whether it matches a certain value). http://wiki.freeradius.org/index.php/FAQ#How_do_I_permit_access_to_any_user_... http://freeradius.org/radiusd/man/unlang.html -- Fajar