"[eap] = reject" after "Calling eap_md5 to process EAP data"
Zeus Panchenko
zeus at ibs.dn.ua
Tue Jul 7 22:54:32 CEST 2015
Alan DeKok <aland at deployingradius.com> wrote:
> On Jul 6, 2015, at 1:56 PM, Zeus Panchenko <zeus at ibs.dn.ua> wrote:
> > as I understand from the debug bellow, I successfully pass
> > authorization but fail to authenticate against eap_md5 ...
> >
> > why?
>
> Because you deleted the "pap" module from the "authorize" section.
> It should be listed last there. It takes care of normalizing
> passwords. In this case, turning Password-With-Header into
> Cleartext-Password.
>
emm ... as I figured out, the problem is in password format though
... it has to be the same as User-Name attribute value passed by NAS to
FR ... in my case it was MAC address in lowercase without delimiters (it
is how commutators, at least Cisco SF300 format User-Name) while in LDAP
DB I'm trying to switch to the format of FR normalized MAC (uppercase
dash delimited) ... is this problem due to pap issue you described?
after I changed password to the value of User-Name attribute passed from
NAS, the Access-Accept succeeded ...
so, now I wonder, can I somehow rewrite User-Name value to use
normalized MAC?
I think it is good idea to use FR normalized MAC format in LDAP DB for
login/password, and for that I'd like to put Calling-Station-Id value to
User-Name and further, to use normalized format
is it sound good? or may be this practice is already common and I am
reinventing the wheel?
> PLEASE just post "radiusd -X". This is what is requested in the
sorry, I will
--
Zeus V. Panchenko jid:zeus at im.ibs.dn.ua
IT Dpt., I.B.S. LLC GMT+2 (EET)
More information about the Freeradius-Users
mailing list