calling-station-id replace and md5 problem
hege
hegedus.gabor at euroway.hu
Wed Jan 28 15:51:58 CET 2009
tnt at kalik.net wrote:
>> Hi I have a problem:
>>
>> 1. The ldap don't replace(expand) the calling-station-id to the mac
>> address, just one time(first)
>>
>> first time:
>> [ldap] expand:
>> (&(employeeType=TRUE)(cn=%{Stripped-User-Name:-%{User-Name}})(macAddress=%{Calling-Station-Id}))
>> -> (&(employeeType=TRUE)(cn=test)(macAddress=0000.a8bb.4444))
>>
>> next time:
>> [ldap] expand:
>> (&(employeeType=TRUE)(cn=%{Stripped-User-Name:-%{User-Name}})(macAddress=%{Calling-Station-Id}))
>> -> (&(employeeType=TRUE)(cn=test)(macAddress=))
>>
>> no mac address expanded
>>
>>
>
> That's because you haven't coppied the request attributes into the
> tunnel.
>
>
Yes, that was the problem. thanks
>> Sending tunneled request
>> EAP-Message = 0x020800090174657374
>> FreeRADIUS-Proxied-To = 127.0.0.1
>> User-Name = "test"
>> server {
>> +- entering group authorize {...}
>>
>
> Set copy_request_to_tunnel to yes in peap section of eap.conf.
>
>
>> 2. If i use EAP-PEAP + LDAP(cleartext password) works everything.
>>
>
> I would seriously doubt that. Same setting applies.
>
>
I works,
win xp client - wifi access
cisco ap
radius: def auth type : peap
ldap: store the password in cleadtext.
(it will stay)
>> but I want to store the password md5 format in the ldap
>>
>
> You can't. PEAP can't work with md-5 passwords.
>
>
>> what have to
>> change, what is the solution?
>>
>
> There isn't one. It can't be done.
>
> http://deployingradius.com/documents/protocols/compatibility.html
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
I have one more question, and i have find nothing with google.
I have to use the dictionary.cisco.vpn3000, but if I uncomment it I get
this
error msg:
including dictionary file /usr/local/etc/raddb/dictionary
Errors reading dictionary: dict_init:
/usr/local/share/freeradius/dictionary.cisco.vpn3000[103]: dict_init:
/usr/local/share/freeradius/dictionary.cisco.vpn3000[103]: d
I see this
# The Cisco VPN300 dictionary is the same as the altiga one.
# You shouldn't use both at the same time.
but i don't know that can i do with this information...
Not need cisco.vpn3000? altiga enough?
or disable altiga(where?) and uncomment vpn3000?
Thank you for the response.
Gabor
More information about the Freeradius-Users
mailing list