EAP/TTLS on LDAP with freeradius 2.0.1

Thierry CHICH thierry.chich at ac-clermont.fr
Thu Feb 7 10:50:32 CET 2008


Le jeudi 07 février 2008, Alan DeKok a écrit :
> Thierry CHICH wrote:
> > You are right. I think this typo is in the original file inner-tunnel
> > included in the distrib,
>
>   Yes, I've fixed it.
>
> > but it work better - but not as I want. Now, I have a good
> > Access-Accept packet, but it is seems that the accounting-request
> > following don't care. Snifff.
>
>   Your NAS is broken.
>
> > rad_recv: Accounting-Request packet from host 172.30.87.66 port 4366,
> > id=144, length=159
>
> ...
>
> >         User-Name = "anonymous at ac-clermont.fr\000"
>
>   Sending a \000 at the end is wrong.
>
> >         Vendor-Specific = 0x564c414e2049442069733a20333032
> >         Vendor-Specific = 0x61632d636c65726d6f6e742e6672
>
>   These are not properly formed VSA's.  This is *very* bad practice.
>
> >         Acct-Session-Time = 4294967
>
>   The session time is 4 million seconds?
>
>   Tell the vendor that their product is broken.  As the author of RFC
> 5080, and a pending RFC on RADIUS design guidelines, I think I have
> reason to be authoritative on this issue.
>
>   e.g. for the Vendor-Specific nonsense, read Section 2.2, at the top of
> page 12, of:
>
> http://www.ietf.org/internet-drafts/draft-ietf-radext-design-02.txt
>
>   i.e. it's not flat-out forbidden, but it's a retarded thing to do.
>
>   If the vendor refuses to fix it, throw the NAS in the garbage, and buy
> a real NAS.
>


I am afraid you are right. I had already found that I had to increase the size 
of the AcctSessionId to 36 instead of 32 char. 

My problem is that is difficult to find an access point not too expensive that 
do what I want (VLAN negociated by 802.1X, multiple SSID, etc.). 

Thanks a lot. I don't know what I will do, but it is nice to understand 
something.  


-- 
Thierry CHICH



More information about the Freeradius-Users mailing list