Hy all, I am trying to include two pairs attribute/value in my Radius Response Packet. This is my code: ... pairadd(&request->reply->vps, pairmake("Password", "***\n", T_OP_EQ)); pairadd (&request->reply->vps, pairmake("Reply-Message", "TID-2002", T_OP_EQ)); ... When I do some tests, I observe this: 1) If my radius Response Packet is an Access-Accept, the FreeRadius server sends: Received response ID 255, code 2, length = 71 User-Password = "***\n" Reply-Message = "TID-2002" 2) If my radius Response Packet is an Access-Reject, the FreeRadius server sends: Received response ID 252, code 3, length = 30 Reply-Message = "TID-2002" ---------------------------- * Why the Password attribute does not appear in the Access-Reject packet? * Why does the Password attribute (in the Access-Accept packet) appear like User-Password? Thank you very much Susana ______________________________________________ LLama Gratis a cualquier PC del Mundo. Llamadas a fijos y móviles desde 1 céntimo por minuto. http://es.voice.yahoo.com
Susana Macias wrote:
* Why the Password attribute does not appear in the Access-Reject packet?
User-Password is not permitted in Access-Rejects; see the RFC.
* Why does the Password attribute (in the Access-Accept packet) appear like User-Password?
That's how it's defined in the dictionary file. josh.
Thank you very much Susana
______________________________________________ LLama Gratis a cualquier PC del Mundo. Llamadas a fijos y móviles desde 1 céntimo por minuto. http://es.voice.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--- Josh Howlett <josh.howlett@bristol.ac.uk> escribió:
Susana Macias wrote:
* Why the Password attribute does not appear in the Access-Reject packet?
User-Password is not permitted in Access-Rejects; see the RFC.
Yes, but in the RFC says that the User-Password attribute "is only used in Access-Request packets". However I have been able to send it in an Access-Accept packet (this is why I asked)
* Why does the Password attribute (in the Access-Accept packet) appear like User-Password?
That's how it's defined in the dictionary file.
And is there any form to send Password instead User-Password? Thanks again
josh.
Thank you very much Susana
______________________________________________ LLama Gratis a cualquier PC del Mundo. Llamadas a fijos y móviles desde 1 céntimo por minuto. http://es.voice.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
______________________________________________ LLama Gratis a cualquier PC del Mundo. Llamadas a fijos y móviles desde 1 céntimo por minuto. http://es.voice.yahoo.com
Susana Macias <susana_macias12@yahoo.es> wrote:
Yes, but in the RFC says that the User-Password attribute "is only used in Access-Request packets". However I have been able to send it in an Access-Accept packet (this is why I asked)
It's not a good idea to send passwords in Access-Accept. Technically, the RFC's should have forbidden that, too.
And is there any form to send Password instead User-Password?
The names are unimportant. They both refer to the same attribute: number 2. The names are used only by the server. See "man dictionary" for details. Perhaps you could explain why you're sending the password in response packets, and why you think it's useful. Alan DeKok.
I would like to know too, Alan I am only a developer... . And here anyone explains me anything :-(. Thanks for your help --- Alan DeKok <aland@ox.org> escribió:
Susana Macias <susana_macias12@yahoo.es> wrote:
Yes, but in the RFC says that the User-Password attribute "is only used in Access-Request packets". However I have been able to send it in an Access-Accept packet (this is why I asked)
It's not a good idea to send passwords in Access-Accept.
Technically, the RFC's should have forbidden that, too.
And is there any form to send Password instead User-Password?
The names are unimportant. They both refer to the same attribute: number 2. The names are used only by the server. See "man dictionary" for details.
Perhaps you could explain why you're sending the password in response packets, and why you think it's useful.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
______________________________________________ LLama Gratis a cualquier PC del Mundo. Llamadas a fijos y móviles desde 1 céntimo por minuto. http://es.voice.yahoo.com
Susana Macias <susana_macias12@yahoo.es> wrote:
I would like to know too, Alan
I am only a developer... . And here anyone explains me anything :-(.
Then tell them I said it's a bad idea to put User-Password into Access-Accept. There are probably better ways of doing the same thing, like using Tunnel-Password. And it's even a worse idea to put User-Password into Access-Reject. If anyone thinks it's necessary, then they're doing something wrong. They'd probably be better off using Access-Challenge. If they argue, tell them to email me privately, and I'll discuss it with them. Ignoring the RFC's can lead to serious security problems. Alan DeKok.
Hy all, Has someone used FreeRadius with a iplanet LDAP server? Thanks a lot
participants (4)
-
Alan DeKok -
Josh Howlett -
Rafael Roldán -
Susana Macias