Modifying outgoing device name attribute

Alan DeKok aland at deployingradius.com
Fri Jun 2 19:01:04 UTC 2023


On May 31, 2023, at 12:26 PM, Kenny Simpson <kcg_simpson at msn.com> wrote:
> We are using freeradius to proxy authentication from Fortinet to freeradius to cisco acs.  We are now stumped on how to get it to authenticate properly.  We can see in the Cisco ACS logs that the device is being authenticated and that it is matching the appropriate access service but it is failing on shared secret

  *What* is failing on the shared secret?

  You have 3 different systems.  You haven't said which one is failing.

> even though we know that the shared secret is correct and that the password for the user is correct.

  The shared secret is clearly *not* correct if it's failing on the shared secret.

>  Looking at the logs its says that the client is the incoming proxy server with its name and ip address as this is what is in the client.

  *What* says this?

  Please be specific.  The more vague you are, the harder it is to help you.

>  It has the NAS IP correctly defined but I am thinking that because the device name and ip are different to the NAS IP then its failing as the actual proxied connection has a different secret.

  *What* is doing this?

>  Is there anyway of modifying the out going "device name attribute and ip" to match that of the client configuration.

  Where?

  If Cisco ACS is failing, then ask Cisco how their product works.  We didn't write ACS, and we know nothing about it.

  If FreeRADIUS is failing, then post the debug logs as suggested by ALL of the documentation.

  Alan DeKok.



More information about the Freeradius-Users mailing list