VSA and other attributes in Access-Accept
Mohammed Petiwala
mhpetiwala at yahoo.com
Fri Sep 29 20:48:42 CEST 2006
Hi:
Could anyone please provide me some advice on my question below.
Currently I am seeing VSAs in my reply messages from freeRADIUS being passed in Access-Accept, Access-Challenge. I would like to limit certain VSAs to only Accepts, or Challenge.
Is this possible - because according to the RFCs for 3GPP/3GPP2 only some of them are possible in certain type of responses.
Thx.
Regards,
Mohammed.
Date: Thu, 30 Mar 2006 14:06:02 -0800 (PST)
From: Mohammed Petiwala <mhpetiwala at yahoo.com>
Subject: VSA and other attributes in Access-Accept
To: freeradius-users at lists.freeradius.org
Hi:
First thanks to the freeRADIUS team - this is one of the most flexibile and powerful AAA available...
I've 2 questions:
1. I've set up my clients to authenticate using EAP-TTLS with MSCHAPv2 as the inner authentication protocol. This works fine with the wpa_suppicant with intel 2200b/g as well as the Cisco Aironet 350. I've created my own dictionary file with VSAs that are useful for my NAS once Access-Accept is returned.
The 'users' file has the VSAs Attrib = Value listed after each user entry and I do see the attributes being returned correctly on Access-Accept. My question is (please correct me if I am wrong) - I see the VSAs being returned during the intermediate Access-Challenge messages too even before authentication is complete. Is this the normal behavior, is there a way to setup the freeRADIUS server so that the VSAs are only returned on Access-Accept and not during the Access-Challenge. The NAS does ignore the VSAs in any case during the challenge - but would be good if there was a way to limit the message size for the Access-Challenge messages (only if this is valid from RADIUS RFC perspective - if someone could clarify).
2. How can I set users in the 'users' file (an example would be very helpful if someone can send) so that some users are only allowed to authenticate using EAP-TTLS while others are only allowed to use PEAP. Once I create an entry into the users file (and both authentications are EAP types) - the user can authenticate using any eap type - I would like to limit this per user. Is it possible??
Thx.
Regards,
Mohammed.
---------------------------------
All-new Yahoo! Mail - Fire up a more powerful email and get things done faster.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060929/5477413c/attachment.html>
More information about the Freeradius-Users
mailing list