"[eap] = reject" after "Calling eap_md5 to process EAP data"
Alan DeKok
aland at deployingradius.com
Tue Jul 7 23:21:45 CEST 2015
On Jul 7, 2015, at 4:54 PM, Zeus Panchenko <zeus at ibs.dn.ua> wrote:
> emm ... as I figured out, the problem is in password format though
> ... it has to be the same as User-Name attribute value passed by NAS to
> FR ...
The password isn't the User-Name.
> in my case it was MAC address in lowercase without delimiters (it
> is how commutators, at least Cisco SF300 format User-Name) while in LDAP
> DB I'm trying to switch to the format of FR normalized MAC (uppercase
> dash delimited) ... is this problem due to pap issue you described?
No.
> after I changed password to the value of User-Name attribute passed from
> NAS, the Access-Accept succeeded ...
>
> so, now I wonder, can I somehow rewrite User-Name value to use
> normalized MAC?
Don't do that.
> I think it is good idea to use FR normalized MAC format in LDAP DB for
> login/password, and for that I'd like to put Calling-Station-Id value to
> User-Name and further, to use normalized format
Not everyone uses LDAP.
> is it sound good? or may be this practice is already common and I am
> reinventing the wheel?
In v3, see raddb/policy.d/canonicalization It has policies to normalize MAC addresses in Calling-Station-Id. The same policies can be applied to other attributes, too.
Alan DeKok.
More information about the Freeradius-Users
mailing list