# Cisco CB21AG LEAP woes

## MadOtis

Good morning all,

I have an IBM T41 laptop that has an internal IPW2100 card (works great) and a Cisco-Aironet CB21AG PCMCIA card.  At home, both wireless cards work great, but at work, where I have to use LEAP (thus, the Cisco card), I can't get either to authenticate using Leap.  Although, with the Cisco card, I have to use the MadWiFi drivers instead of Airo or Airo_cs.

I HAVE installed the cisco drivers, I have installed the kernel drivers, neither help at all (following all the posts I've read here).  The card (from here on out, I'm only targeting the Cisco pcmcia card), seems to initialize properly, I can see the two status leds flash as it tries to connect, but nothing... after several seconds the net.ath0 script bombs and no connection.

The specifics of my installation are:

Gentoo 2004.1 - 2.6.7-r11 kernel

IBM T41 laptop

Cisco AIR-CB21AG pcmcia card.

Thanks in advance!

Randy

----------

## think4urs11

Q1: Do you use AP350 in the office or AP12xx?

Q2: If AP350 - which firmware version do they have?

Q3: Do the AP use broadcast key rotation?

Q4: Do the AP use MIC?

There are various issues with the new cards   :Confused: 

HTH

T.

----------

## MadOtis

A1)  I'm approx. 90% sure they are using AP12xx

A2)  I'm not sure.

A3)  No, no key rotation.  At least, not from what my lan support admin tells me.

A4)  No, no MIC

The only values we enter anywhere are the SSID1, 802.1x 54Mb, and LEAP. These are the only values we specify in the Winders ACU client.

----------

## linuxbum

Randy did you ever get the card to work?

I did get the older 353 cards to work with ACU utility but the CB21AG Is not found by Gentoo box.

Cisco does not list a Driver for linux for the new CB21AG. it does look to be AGR5212 in DMESG.

Bryan

----------

## RoundsToZero

I can do LEAP with wpa_supplicant on my ipw2200.  You may not need to use your Cisco card.  If you want I will post my section of wpa_supplicant.conf when I get back to my laptop.  Of course ipw2100 might be different, but they use a common wireless stack now and all the crypto is generally done in software.

EDIT: Oops, thread necro.  Hope you have an ipw2x00 too, linuxbum  :Smile: .

----------

## linuxbum

RoundsToZero

as a matter of fact I do have 2915 card.

But the SSID is not broadcast and I tried the wpa-supplicant and wireless examples but no auth.

Tired the cicso util leapscript and leaplogin.

If you would share your wpa_supplicant file I would love to see if I missed something.

I have got it working on the WPS-PSK TKIP site at home with no problems.

Bryan

----------

## RoundsToZero

Here it is, look at the "LEAP SECTION".

```

##### Example wpa_supplicant configuration file ###############################

# Empty lines and lines starting with # are ignored

# NOTE! This file may contain password information and should probably be made

# readable only by root user on multiuser systems.

# global configuration (shared by all network blocks)

#

# Interface for separate control program. If this is specified, wpa_supplicant

# will create this directory and a UNIX domain socket for listening to requests

# from external programs (CLI/GUI, etc.) for status information and

# configuration. The socket file will be named based on the interface name, so

# multiple wpa_supplicant processes can be run at the same time if more than

# one interface is used.

# /var/run/wpa_supplicant is the recommended directory for sockets and by

# default, wpa_cli will use it when trying to connect with wpa_supplicant.

ctrl_interface=/var/run/wpa_supplicant

# Access control for the control interface can be configured by setting the

# directory to allow only members of a group to use sockets. This way, it is

# possible to run wpa_supplicant as root (since it needs to change network

# configuration and open raw sockets) and still allow GUI/CLI components to be

# run as non-root users. However, since the control interface can be used to

# change the network configuration, this access needs to be protected in many

# cases. By default, wpa_supplicant is configured to use gid 0 (root). If you

# want to allow non-root users to use the control interface, add a new group

# and change this value to match with that group. Add users that should have

# control interface access to this group. If this variable is commented out or

# not included in the configuration file, group will not be changed from the

# value it got by default when the directory or socket was created.

#

# This variable can be a group name or gid.

#ctrl_interface_group=wheel

ctrl_interface_group=0

# IEEE 802.1X/EAPOL version

# wpa_supplicant was implemented based on IEEE 802-1X-REV-d8 which defines

# EAPOL version 2. However, there are many APs that do not handle the new

# version number correctly (they seem to drop the frames completely). In order

# to make wpa_supplicant interoperate with these APs, the version number is set

# to 1 by default. This configuration value can be used to set it to the new

# version (2).

eapol_version=1

# AP scanning/selection

# By default, wpa_supplicant requests driver to perform AP scanning and then

# uses the scan results to select a suitable AP. Another alternative is to

# allow the driver to take care of AP scanning and selection and use

# wpa_supplicant just to process EAPOL frames based on IEEE 802.11 association

# information from the driver.

# 1: wpa_supplicant initiates scanning and AP selection

# 0: driver takes care of scanning, AP selection, and IEEE 802.11 association

#    parameters (e.g., WPA IE generation); this mode can also be used with

#    non-WPA drivers when using IEEE 802.1X mode; do not try to associate with

#    APs (i.e., external program needs to control association)

# 2: like 0, but associate with APs using security policy and SSID (but not

#    BSSID); this can be used, e.g., with ndiswrapper and NDIS driver to

#    enable operation with hidden SSIDs and optimized roaming; in this mode,

#    only the first network block in the configuration file is used and this

#    configuration should have explicit security policy (i.e., only one option

#    in the lists) for key_mgmt, pairwise, group, proto variables

ap_scan=1

# EAP fast re-authentication

# By default, fast re-authentication is enabled for all EAP methods that

# support it. This variable can be used to disable fast re-authentication.

# Normally, there is no need to disable this.

fast_reauth=1

# network block

#

# Each network (usually AP's sharing the same SSID) is configured as a separate

# block in this configuration file. The network blocks are in preference order

# (the first match is used).

#

# network block fields:

#

# ssid: SSID (mandatory); either as an ASCII string with double quotation or

#   as hex string; network name

#

# scan_ssid:

#   0 = do not scan this SSID with specific Probe Request frames (default)

#   1 = scan with SSID-specific Probe Request frames (this can be used to

#       find APs that do not accept broadcast SSID or use multiple SSIDs;

#       this will add latency to scanning, so enable this only when needed)

#

# bssid: BSSID (optional); if set, this network block is used only when

#   associating with the AP using the configured BSSID

#

# priority: priority group (integer)

# By default, all networks will get same priority group (0). If some of the

# networks are more desirable, this field can be used to change the order in

# which wpa_supplicant goes through the networks when selecting a BSS. The

# priority groups will be iterated in decreasing priority (i.e., the larger the

# priority value, the sooner the network is matched against the scan results).

# Within each priority group, networks will be selected based on security

# policy, signal strength, etc.

# Please note that AP scanning with scan_ssid=1 is not using this priority to

# select the order for scanning. Instead, it uses the order the networks are in

# the configuration file.

#

# mode: IEEE 802.11 operation mode

# 0 = infrastructure (Managed) mode, i.e., associate with an AP (default)

# 1 = IBSS (ad-hoc, peer-to-peer)

# Note: IBSS can only be used with key_mgmt NONE (plaintext and static WEP)

# and key_mgmt=WPA-NONE (fixed group key TKIP/CCMP). In addition, ap_scan has

# to be set to 2 for IBSS. WPA-None requires following network block options:

# proto=WPA, key_mgmt=WPA-NONE, pairwise=NONE, group=TKIP (or CCMP, but not

# both), and psk must also be set.

#

# proto: list of accepted protocols

# WPA = WPA/IEEE 802.11i/D3.0

# RSN = WPA2/IEEE 802.11i (also WPA2 can be used as an alias for RSN)

# If not set, this defaults to: WPA RSN

#

# key_mgmt: list of accepted authenticated key management protocols

# WPA-PSK = WPA pre-shared key (this requires 'psk' field)

# WPA-EAP = WPA using EAP authentication (this can use an external

#   program, e.g., Xsupplicant, for IEEE 802.1X EAP Authentication

# IEEE8021X = IEEE 802.1X using EAP authentication and (optionally) dynamically

#   generated WEP keys

# NONE = WPA is not used; plaintext or static WEP could be used

# If not set, this defaults to: WPA-PSK WPA-EAP

#

# auth_alg: list of allowed IEEE 802.11 authentication algorithms

# OPEN = Open System authentication (required for WPA/WPA2)

# SHARED = Shared Key authentication (requires static WEP keys)

# LEAP = LEAP/Network EAP (only used with LEAP)

# If not set, automatic selection is used (Open System with LEAP enabled if

# LEAP is allowed as one of the EAP methods).

#

# pairwise: list of accepted pairwise (unicast) ciphers for WPA

# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0]

# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0]

# NONE = Use only Group Keys (deprecated, should not be included if APs support

#   pairwise keys)

# If not set, this defaults to: CCMP TKIP

#

# group: list of accepted group (broadcast/multicast) ciphers for WPA

# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0]

# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0]

# WEP104 = WEP (Wired Equivalent Privacy) with 104-bit key

# WEP40 = WEP (Wired Equivalent Privacy) with 40-bit key [IEEE 802.11]

# If not set, this defaults to: CCMP TKIP WEP104 WEP40

#

# psk: WPA preshared key; 256-bit pre-shared key

# The key used in WPA-PSK mode can be entered either as 64 hex-digits, i.e.,

# 32 bytes or as an ASCII passphrase (in which case, the real PSK will be

# generated using the passphrase and SSID). ASCII passphrase must be between

# 8 and 63 characters (inclusive).

# This field is not needed, if WPA-EAP is used.

# Note: Separate tool, wpa_passphrase, can be used to generate 256-bit keys

# from ASCII passphrase. This process uses lot of CPU and wpa_supplicant

# startup and reconfiguration time can be optimized by generating the PSK only

# only when the passphrase or SSID has actually changed.

#

# eapol_flags: IEEE 802.1X/EAPOL options (bit field)

# Dynamic WEP key require for non-WPA mode

# bit0 (1): require dynamically generated unicast WEP key

# bit1 (2): require dynamically generated broadcast WEP key

#    (3 = require both keys; default)

#

# Following fields are only used with internal EAP implementation.

# eap: space-separated list of accepted EAP methods

#   MD5 = EAP-MD5 (unsecure and does not generate keying material ->

#         cannot be used with WPA; to be used as a Phase 2 method

#         with EAP-PEAP or EAP-TTLS)

#       MSCHAPV2 = EAP-MSCHAPv2 (cannot be used separately with WPA; to be used

#      as a Phase 2 method with EAP-PEAP or EAP-TTLS)

#       OTP = EAP-OTP (cannot be used separately with WPA; to be used

#      as a Phase 2 method with EAP-PEAP or EAP-TTLS)

#       GTC = EAP-GTC (cannot be used separately with WPA; to be used

#      as a Phase 2 method with EAP-PEAP or EAP-TTLS)

#   TLS = EAP-TLS (client and server certificate)

#   PEAP = EAP-PEAP (with tunnelled EAP authentication)

#   TTLS = EAP-TTLS (with tunnelled EAP or PAP/CHAP/MSCHAP/MSCHAPV2

#          authentication)

#   If not set, all compiled in methods are allowed.

#

# identity: Identity string for EAP

# anonymous_identity: Anonymous identity string for EAP (to be used as the

#   unencrypted identity with EAP types that support different tunnelled

#   identity, e.g., EAP-TTLS)

# password: Password string for EAP

# ca_cert: File path to CA certificate file. This file can have one or more

#   trusted CA certificates. If ca_cert is not included, server certificate

#   will not be verified. This is insecure and the CA file should always be

#   configured.

# client_cert: File path to client certificate file (PEM/DER)

# private_key: File path to client private key file (PEM/DER/PFX)

#   When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be

#   commented out. Both the private key and certificate will be read from

#   the PKCS#12 file in this case.

# private_key_passwd: Password for private key file

# dh_file: File path to DH/DSA parameters file (in PEM format)

#   This is an optional configuration file for setting parameters for an

#   ephemeral DH key exchange. In most cases, the default RSA

#   authentication does not use this configuration. However, it is possible

#   setup RSA to use ephemeral DH key exchange. In addition, ciphers with

#   DSA keys always use ephemeral DH keys. This can be used to achieve

#   forward secrecy. If the file is in DSA parameters format, it will be

#   automatically converted into DH params.

# subject_match: Substring to be matched against the subject of the

#   authentication server certificate. If this string is set, the server

#   sertificate is only accepted if it contains this string in the subject.

#   The subject string is in following format:

#   /C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as@example.com

# phase1: Phase1 (outer authentication, i.e., TLS tunnel) parameters

#   (string with field-value pairs, e.g., "peapver=0" or

#   "peapver=1 peaplabel=1")

#   'peapver' can be used to force which PEAP version (0 or 1) is used.

#   'peaplabel=1' can be used to force new label, "client PEAP encryption",

#   to be used during key derivation when PEAPv1 or newer. Most existing

#   PEAPv1 implementation seem to be using the old label, "client EAP

#   encryption", and wpa_supplicant is now using that as the default value.

#   Some servers, e.g., Radiator, may require peaplabel=1 configuration to

#   interoperate with PEAPv1; see eap_testing.txt for more details.

#   'peap_outer_success=0' can be used to terminate PEAP authentication on

#   tunneled EAP-Success. This is required with some RADIUS servers that

#   implement draft-josefsson-pppext-eap-tls-eap-05.txt (e.g.,

#   Lucent NavisRadius v4.4.0 with PEAP in "IETF Draft 5" mode)

#   include_tls_length=1 can be used to force wpa_supplicant to include

#   TLS Message Length field in all TLS messages even if they are not

#   fragmented.

#   sim_min_num_chal=3 can be used to configure EAP-SIM to require three

#   challenges (by default, it accepts 2 or 3)

# phase2: Phase2 (inner authentication with TLS tunnel) parameters

#   (string with field-value pairs, e.g., "auth=MSCHAPV2" for EAP-PEAP or

#   "autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS)

# Following certificate/private key fields are used in inner Phase2

# authentication when using EAP-TTLS or EAP-PEAP.

# ca_cert2: File path to CA certificate file. This file can have one or more

#   trusted CA certificates. If ca_cert2 is not included, server

#   certificate will not be verified. This is insecure and the CA file

#   should always be configured.

# client_cert2: File path to client certificate file

# private_key2: File path to client private key file

# private_key2_passwd: Password for private key file

# dh_file2: File path to DH/DSA parameters file (in PEM format)

# subject_match2: Substring to be matched against the subject of the

#   authentication server certificate.

#

# EAP-PSK variables:

# eappsk: 16-byte (128-bit, 32 hex digits) pre-shared key in hex format

# nai: user NAI

# server_nai: authentication server NAI

#

# EAP-FAST variables:

# pac_file: File path for the PAC entries. wpa_supplicant will need to be able

#   to create this file and write updates to it when PAC is being

#   provisioned or refreshed.

# phase1: fast_provisioning=1 option enables in-line provisioning of EAP-FAST

#   credentials (PAC)

#

# wpa_supplicant supports number of "EAP workarounds" to work around

# interoperability issues with incorrectly behaving authentication servers.

# These are enabled by default because some of the issues are present in large

# number of authentication servers. Strict EAP conformance mode can be

# configured by disabling workarounds with eap_workaround=0.

network={

   ssid="abend"

   priority=5

   scan_ssid=1

   key_mgmt=NONE

   wep_key0=XXX

   wep_tx_keyidx=0

   auth_alg=OPEN

}

network={

   ssid="nashua"

   priority=10

   proto=WPA

   key_mgmt=WPA-PSK

   pairwise=TKIP

   group=TKIP

   psk=XXX

}

network={

   ssid="ninigret"

   priority=5

   scan_ssid=1

   key_mgmt=NONE

   wep_key0=XXX

   wep_tx_keyidx=0

   auth_alg=OPEN

}

# LEAP SECTION

network={

   ssid="IBM"

   priority=0

   key_mgmt=IEEE8021X

   eap=LEAP

   identity="gmishkin@us.ibm.com"

   password="XXX"

}

network={

   ssid="localset"

   priority=0

   key_mgmt=NONE

   wep_key0=XXX

   wep_tx_keyidx=0

   auth_alg=OPEN

}

network={

   ssid="LMC's wireless"

   key_mgmt=NONE

   priority=0

}

```

----------

## linuxbum

Roundstozero.

Yes that what I have and I still can't get the LEAP to authentacate.

At work they don't broadcast the SSID which I know has caused some errors for others using wpa.

here is my  wpa_supplicant.conf

```

network{

  ssid"workssid"

  key_mgt=IEEE8021X

  auth_alg=LEAP

  eap=LEAP

  idenity"XXXXXX"

  paasword="***********"

  priority=0

}

```

I know the ssid and credentials are right as I use these for windows box  :Sad: 

and other UNIX services via proxy.

----------

## RoundsToZero

Try changing ap_scan to 2.

----------

## linuxbum

Roundstozero,

did you install the Cisco Client "net/cisco-aironet-client-utils" ?

I have it installed to use the CISCO card.  

How does wpa supply the LEAP CKIP if not installed as TKIP is standard but CKIP is Cisco version.

No help with the ap_scan =2

----------

## RoundsToZero

No, I do not have the Cisco tools installed.  I do not even have a Cisco card.  I got LEAP working with just ipw2200 and wpa_supplicant.  If you in fact have an Intel 2915 card you should be able to use the ipw2200 driver with it (this is the same driver I use for my card, an Intel 2200).

At this point just make sure that you have set up your /etc/conf.d/net file to reflect that the network interface for your 2915 should use wpa_supplicant.  Also in that file you should use -Dwext instead of -Dipw as the latter doesn't seem to work (for wpa_supplicant options in the net file).  Then when you bring up the 2195 interface (eth1 for me), you should see that it starts wpa_supplicant.  It should associate with the LEAP-enabled AP.  ap_scan=2 is just a different way to force the association; I think you only use it if it doesn't work with the default.

----------

## linuxbum

Yep all set like you said.

If I run command line wpa_supplicant -i eth1 -c /etc/wpa_supplicant.conf

I get

```

ioctl[PRISM2_IOCTL_HOSTAPD]: Operation not supported

Failed to set encryption.

```

I am now Checking for the ieee80211 modules.

Took laptop home and it works fine for the WPA_PSK TKIP still even emerge -sync and emerge world -udv just to make sure.

Still works on the home network after changing back to "1"

Will try in am at work again.

----------

## RoundsToZero

It doesn't look like you put -Dwext.  It looks like it's trying to use another driver, PRISM2 maybe that's the default.  That's almost definitely not your card.  In any case, you should be able to get it working from the initscript.

EDIT: By the way, this is my command line for wpa_supplicant that the initscript runs:

/sbin/wpa_supplicant -Dwext -B -c/etc/wpa_supplicant.conf -i eth1

----------

## linuxbum

Looks like you put the -D in command line instead of letting it be set from /etc/conf.d/net file

Interesting I will test and l will post back.

Thanks for the continued help

EDIT 

Ok that stopped PRISM error guess that command line ignors /etc/conf.d/net file   :Sad: 

Still working the LEAP issue.

----------

## RoundsToZero

It might just be ignoring wpa_supplicant completely.  In the net file, try this:

Make sure this is uncommented.  This will disable the iwconfig method of setting up wireless.

modules=( "!iwconfig" )

Make sure these lines are uncommented.  This will enable wpa_supplicant.

modules=( "wpa_supplicant" )

wpa_supplicant_eth1="-Dwext"

wpa_timeout_eth1=60

Then you should be able to use the initscript.  Make sure you have output like this when you start the initscript.

```

snowshoe ~ # /etc/init.d/net.eth1 start

 * Starting eth1

 *   Starting wpa_supplicant on eth1 ...                                  [ ok ]

 *     eth1 connected to "XXX" at XX:XX:XX:XX:XX:XX

 *   Bringing up eth1

 *     dhcp

 *       Running dhcpcd ...                                               [ ok ]

 *       eth1 received address a.b.c.d

```

If you're not even seeing the part about wpa_supplicant, then the initscript isn't even trying to use your leap configuration in wpa_supplicant.conf.

EDIT: That command line I posted early did come from the initscript, I just started the initscript, looked up wpa_supplicant's pid, and copied /proc/[pid]/cmdline.

EDIT 2: Once wpa_supplicant has started, you can check its status with the "wpa_cli" tool.  Simply run it, and type "status" at the prompt.  You should get something like this:

```

snowshoe ~ # wpa_cli

wpa_cli v0.4.7

Copyright (c) 2004-2005, Jouni Malinen <jkmaline@cc.hut.fi> and contributors

This program is free software. You can distribute it and/or modify it

under the terms of the GNU General Public License version 2.

Alternatively, this software may be distributed under the terms of the

BSD license. See README and COPYING for more details.

Selected interface 'eth1'

Interactive mode

> status

bssid=XX:XX:XX:XX:XX:XX

ssid=XXX

pairwise_cipher=TKIP

group_cipher=TKIP

key_mgmt=WPA-PSK

wpa_state=COMPLETED

```

Well that's what it'll look like if it works, in any case.  Obviously the values may change, but if you post the output, including wpa_state, that would help.

----------

## linuxbum

Roundtozero

Thanks for all your help:.

here are the init.d scripts output;

```

cruz18 init.d # ./net.eth1 start

 * Caching service dependencies ...

 *  Service 'sysklogd' already provided by 'logger'!;

 *  Not adding service 'metalog'...                                       [ ok ]

 * Starting eth1

 *   Starting wpa_supplicant on eth1 ...                                  [ ok ]

 *     timed out                                                          [ !! ]

```

and here is a wpa_cli during that start:

```

cruz18 etc # wpa_cli status

Selected interface 'eth1'

wpa_state=DISCONNECTED

Supplicant PAE state=DISCONNECTED

suppPortStatus=Unauthorized

EAP state=DISABLED

cruz18 etc # wpa_cli status

Selected interface 'eth1'

wpa_state=DISCONNECTED

Supplicant PAE state=DISCONNECTED

suppPortStatus=Unauthorized

EAP state=DISABLED

```

I don't think it's trying LEAP at all.

----------

## RoundsToZero

Try adding -d or -dd to wpa_supplicant_eth1 in /etc/conf.d/net (along with your -D flag).  Then you should get some more output when you do /etc/init.d/net.eth1 start.

----------

## linuxbum

roundstozero

also I was able to check WAP logs and see this station fail at authentication;;

```

Station 0012f0e03ca4 Failed Authentication, status "Unsupported Authentication Algorithm"

```

So it reaching the WAP. 

I also know id and password are ok use them everyday for windows and Cisco 353 or CS21AG Pcmcia Card.

Hey I just though of something do you know how to tell it which WINDOWS AD DOMAIN id and password is in?

The Windows Intel software asks for ID, DOMAIN, and password thats got to be it!!

----------

## RoundsToZero

You could try setting your username in wpa_supplicant.conf as DOMAIN\username.  The "unsupported algorithm" section is suspect, though.  I can't think of any other things to add to your section in wpa_supplicant.conf, but if you read through the wpa_supplicant.conf.example file and learn what each of the methods is, one of them might ring a bell, like if you saw something similar in the Windows program.

Do you have everything selected for CryptoAPI in the kernel configuration?  It's under "Cryptographic Options" or "Cryptographic API".  You should see a list of crypto algorithms, make sure they are all either compiled in or configured as modules (except LZF, which needs to be compiled in if you are using suspend2).  I know that WEP uses the arc4 module, and TKIP uses michael_mic, your AP could be using something else.  Best to just have everything enabled.

----------

## 1shot1kill

I have leap working on my laptop a Dell D610 with a Cisco Aironet 350 card the Airo_cs drivers for it.  I downloaded a script called leaplogin that authenticates (which you can download on ciscos website) then i just run dhclient. That might be the way to go.

----------

## linuxbum

1shotkill

Yes I have the 350 series working fine.

the 2200 and 2915 Intel cards fail when using LEAP.

The CB21AG card Cisco does not have a Linux version of the  driver like they did for the 350 series cards. Using the ACU drivers and software.

Cisco may never create a Linux Driver fro the CB21AG.

I am try to get the Intel cards to do LEAP and the EAP_FAST next.

I need to test these   :Rolling Eyes: 

 Thnaks for the reply..

----------

## mfrafique

Dear All

Good morning,we are using NavisRadius 4. in our organization and we have 2 conditions to follow,given below is the conditions:

In first condition for e.g a user login id 'test' came from access server '1.1.1.1' we need to append "-khi" and its breturns "test-khi" to database .

In second condition if a user login id 'test@khi' we need to trim "@khi" and it returns "test" only to database server.

if any1 help me in this regards i wl highly appreciated.

----------

