Hi Axel, Thank you for update!
According to RFC 2865, an Access-Request packet MUST come with either a Calling-Station-Id or a NAS-Identifier AVP. So, if you don't have one, perhaps could you achieve something with the other one (if present, of course)?
NAS-Identifier attribute is sent on both access-requests, but is helpless for me, bcz I can't update it dynamically on linux machine... I'm developing the feature, that will reject user authentication for user+nas_ip+calling-station-id if in log it more than X failed login within last Y minutes from the user. Now this feature is working, but it rejects requestes based on user+nas_ip only, bcz calling_station_id is blank ((((
Looks more to be a "RADIUS_CLIENT" issue.
Yeah, I already reported new issue on github to pam_radius developers, but I afraid they will ignore it, just because NAS-Identifier is sent in both requests(((
Could you post an example of a (first Access-Request, second Access-Request) pair sent by that "RADIUS_CLIENT"? Sure, here is the output: 1st Access-Request: rad_recv: Access-Request packet from host 192.168.64.11 port 17193, id=5, length=98 User-Name = "username" User-Password = "some password" NAS-IP-Address = 192.168.64.11 NAS-Identifier = "sshd" NAS-Port = 16168 NAS-Port-Type = Virtual Service-Type = Authenticate-Only Calling-Station-Id = "192.168.65.20"
Sending Access-Challenge of id 5 to 192.168.64.11 port 17193 Reply-Message = "OTP code: " State = 0x33643539623066642d333162662d313165342d393939332d353235343030613964313334 2nd Access-Request: rad_recv: Access-Request packet from host 192.168.64.11 port 17193, id=6, length=108 User-Name = "username" User-Password = "736396" NAS-IP-Address = 192.168.64.11 NAS-Identifier = "sshd" NAS-Port = 16168 NAS-Port-Type = Virtual State = 0x33643539623066642d333162662d313165342d393939332d353235343030613964313334 BR, Dmitry. -----Original Message----- From: freeradius-users-bounces+simpot=simpot.com@lists.freeradius.org [mailto:freeradius-users-bounces+simpot=simpot.com@lists.freeradius.org] On Behalf Of Axel Luttgens Sent: 01 Sep 2014 11:52 To: FreeRadius users mailing list Subject: Re: There is no "Calling-Station-Id" attribute in access-requests sent in response to radius challenge from pam_radius-1.3.17-2.el6.x86_64 (CentOS release 6.5) Le 31 août 2014 à 23:21, Dmitry Saratsky a écrit :
Hi all,
I'm using freeradius for custom 2-factor OTP authentication as below: RADIUS_CLIENT > Access-Request(User/Pass) > FreeRADIUS(check user pass and if ok -> generates state) > Access-Challenge > RADIUS_CLIENT> Access-Request(User/OTP/state) > FreeRADIUS
In first Access-Request (before Access-Challenge) RADIUS_CLIENT is sending all required attributes well My problem is on the second Access-Request (after Access-Challenge). There is no "Calling-Station-Id" attribute on this state for some reason... I have checked this on the following radius client: pam_radius-1.3.17-2.el6.x86_64 (CentOS release 6.5)
Hello Dmitri, According to RFC 2865, an Access-Request packet MUST come with either a Calling-Station-Id or a NAS-Identifier AVP. So, if you don't have one, perhaps could you achieve something with the other one (if present, of course)?
Anyone can suggest some work around for above? Maybe it is configuration issue I'm missing?
Looks more to be a "RADIUS_CLIENT" issue. Could you post an example of a (first Access-Request, second Access-Request) pair sent by that "RADIUS_CLIENT"? Axel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html