EAP/TTLS on LDAP with freeradius 2.0.1
Alan DeKok
aland at deployingradius.com
Thu Feb 7 10:00:33 CET 2008
Thierry CHICH wrote:
> You are right. I think this typo is in the original file inner-tunnel included
> in the distrib,
Yes, I've fixed it.
> but it work better - but not as I want. Now, I have a good
> Access-Accept packet, but it is seems that the accounting-request following
> don't care. Snifff.
Your NAS is broken.
> rad_recv: Accounting-Request packet from host 172.30.87.66 port 4366, id=144,
> length=159
...
> User-Name = "anonymous at ac-clermont.fr\000"
Sending a \000 at the end is wrong.
> Vendor-Specific = 0x564c414e2049442069733a20333032
> Vendor-Specific = 0x61632d636c65726d6f6e742e6672
These are not properly formed VSA's. This is *very* bad practice.
> Acct-Session-Time = 4294967
The session time is 4 million seconds?
Tell the vendor that their product is broken. As the author of RFC
5080, and a pending RFC on RADIUS design guidelines, I think I have
reason to be authoritative on this issue.
e.g. for the Vendor-Specific nonsense, read Section 2.2, at the top of
page 12, of:
http://www.ietf.org/internet-drafts/draft-ietf-radext-design-02.txt
i.e. it's not flat-out forbidden, but it's a retarded thing to do.
If the vendor refuses to fix it, throw the NAS in the garbage, and buy
a real NAS.
Alan DeKok.
More information about the Freeradius-Users
mailing list