Hi, This may have come up before but I can't find any solutions : I'm using a NAS which always performs EAP/MSCHAP2 authentication, so I've stripped the sites-enabled/default right down to pretty much just include the eap stuff for authorisation/authentication, and am doing all the rest inside the inner tunnel - fine. When the radius returns an access-accept, it runs the stuff in the inner-tunnel post_auth section ok, and I can record the attributes I want to a mysql db, including a custom ldap attribute inserted into a control variable. However it seems that following a reject, the post_auth reject section of inner-tunnel isn't actually used, so it doesn't record any info about the attributes in the sql database if I use an sql call. Ok .. so do it in the default post_auth reject bit - ok but I can't figure how to pass back control variables to the outer tunnel. I'd imagine it should be similar to the description in the post auth reject section of the inner tunnel :
update outer.reply { User-Name = "%{request:User-Name}" } But the section never gets called, so I tried putting it after the ldap authorization bit, as I can't do it in the authentication part, or so I gather (no unlang support in there?). In the below update, ldap-UserDescription is my custom attribute, which I can see from the logs is being populated : [ldap] description -> Ldap-UserDescription == "test ip phone" Authorize { .. .. ldap update outer.control { Ldap-UserDescription := "%{control:Ldap-UserDescription}" } } But again it doesn't make it through (or am I doing it wrong?) +- entering group REJECT {...} expand: %{control:Ldap-UserDescription} -> : ++[reply] returns noop Am I being stupid? The best thing would be for the post_auth reject section in inner tunnel to run, but failing that I need to work out the control item passback to the outer tunnel. Thanks for any help in advance! Andy
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html