2.0.0 documentation for radiusd.conf.
A.L.M.Buxey at lboro.ac.uk
A.L.M.Buxey at lboro.ac.uk
Thu Jun 14 13:55:48 CEST 2007
Hi,
> We have three different models of NAS, each with their own weirdnesses...
>
> Apple airports send Ethernet as their medium type ...
even with latest firmware? if so, nasty!
> HP530s Don't send a service-type in the request, they also send their
> loopback address as NAS-IP-Address ?! And they do a weird thing with
> appending the SSID to the called-station-id ...
> They also don't send a NAS-Identifier, which makes things fun in terms
> of accounting records.
most devices allow you to specify the interface address to be used as the
source address for RADIUS. most guides also say 'use the local loopback address'
(expecting you to use the lookback address as their unique address for
connecting to/from etc) we dont use the loopback but instead use the
administrative address for RADIUS, TACACS+ etc source address.
a lot of devices also append the SSID to the called-station-id
(Cisco kit tends to do this too) - VERY handy as a single call/check
can throw the logic down the right path! :-)
> HP 2626 switches, with firmware revision H.10.35 get the first 10 chars
> of their own mac address right, then screw up the last two ...
er, if they act like cisco kit, then the last part of their MAC address
will change for special purposes. Cisco kit changes the last octet for
each wireless interface and each port MAC address and admin interface etc.
> Then you have users who enter user at sussex.ac.uk domain sussex.ac.uk in
> the windows supplicant, which comes out as
>
> sussex.ac.uk/user at sussex.ac.uk
er, yes. thats how it should come out. IF they fill in the REALM box
for PEAL then their realm gets prepended to the call. this is trivial
to search and strip out. if its a machine authentication then it'll
have host/ instead as the UserID. in fact, FR already can handle
the REALM prefix as part of the proxy etc. you may need to enforce
the nt-hack stuff too. several examples posted to this list
over the past 2 years have shown various ntlm_auth command lines
that can handle the REALM or over-write the supplied REALM
alan
More information about the Freeradius-Users
mailing list