calling-station-id replace and md5 problem

hege hegedus.gabor at euroway.hu
Wed Jan 28 15:51:58 CET 2009 

tnt at kalik.net wrote:
>> Hi I have a problem:
>>
>> 1. The ldap don't  replace(expand) the calling-station-id to the mac
>> address, just one time(first)
>>
>> first time:
>> [ldap]  expand:
>> (&(employeeType=TRUE)(cn=%{Stripped-User-Name:-%{User-Name}})(macAddress=%{Calling-Station-Id}))
>> -> (&(employeeType=TRUE)(cn=test)(macAddress=0000.a8bb.4444))
>>
>> next time:
>> [ldap]  expand:
>> (&(employeeType=TRUE)(cn=%{Stripped-User-Name:-%{User-Name}})(macAddress=%{Calling-Station-Id}))
>> -> (&(employeeType=TRUE)(cn=test)(macAddress=))
>>
>> no mac address expanded
>>
>>     
>
> That's because you haven't coppied the request attributes into the
> tunnel.
>
>   
Yes, that was the problem. thanks
>> Sending tunneled request
>>       EAP-Message = 0x020800090174657374
>>       FreeRADIUS-Proxied-To = 127.0.0.1
>>       User-Name = "test"
>> server  {
>> +- entering group authorize {...}
>>     
>
> Set copy_request_to_tunnel to yes in peap section of eap.conf.
>
>   
>> 2. If i use EAP-PEAP + LDAP(cleartext password) works everything.
>>     
>
> I would seriously doubt that. Same setting applies.
>
>   
I works,
win xp client - wifi access
cisco ap
radius: def auth type : peap
ldap: store the password in cleadtext.

(it will stay)
>>  but I want to store the password md5 format in the ldap
>>     
>
> You can't. PEAP can't work with md-5 passwords.
>
>   
>> what have to
>> change, what is the solution?
>>     
>
> There isn't one. It can't be done.
>
> http://deployingradius.com/documents/protocols/compatibility.html
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>   
I have one more question, and i have find nothing with google.

I have to use the dictionary.cisco.vpn3000, but if I uncomment it I get 
this
error msg:

including dictionary file /usr/local/etc/raddb/dictionary
Errors reading dictionary: dict_init: 
/usr/local/share/freeradius/dictionary.cisco.vpn3000[103]: dict_init: 
/usr/local/share/freeradius/dictionary.cisco.vpn3000[103]: d

I see this
#     The Cisco VPN300 dictionary is the same as the altiga one.
#     You shouldn't use both at the same time.

but i don't know that can i do with this information...

Not need cisco.vpn3000? altiga enough?
or disable altiga(where?) and  uncomment vpn3000?


Thank you for the response.
 
Gabor

More information about the Freeradius-Users mailing list