My FR version is 2.1.10+dfsg-3build2_amd64. Unless there's a nice package for Ubuntu 12.04 server then I'll be compiling from source then I think.
This is the peap bit of eap.conf : peap { default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = yes # proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" so yes, the "use_tunneled reply" bit is there. Is that what's causing the copying of attributes from within the tunnel to fail, or is that setting what it's supposed to be? I'm still getting my head around the eap thing - like for example why I need authorization and authentication settings in the inner-tunnel virtual server for eap again - my intuition would tell me that the inner eap just needs mschap in there if that's the protocol inside the tunnel, but then perhaps it's something to do with the "protection" bit of peap that means it's a "tunnel within a tunnel" or something. Like I said still getting my head around it all. I'd still like to get the attributes copying from the inner to outer tunnels regardless of the fix in 2.2. It's gnawing at me a bit. Thanks Andy From: freeradius-users-bounces+andy.franks=sath.nhs...@lists.freeradius.org [mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradiu s.org] On Behalf Of Alex Sharaz Sent: 10 May 2013 14:09 To: FreeRadius users mailing list Subject: Re: Inner tunnel post auth question Andy, What version of FreeRadius are you using? I *think* that unless you are using the git source for 2.2.1, post-auth reject is broken. There was some stuff I was doing a few months ago that got fixed in 2.2.1 ... but I'm getting old and can't remember all the details :-( On 10 May 2013, at 13:53, Franks Andy (RLZ) IT Systems Engineer <andy.fra...@sath.nhs.uk> wrote: Hi, This may have come up before but I can't find any solutions : I'm using a NAS which always performs EAP/MSCHAP2 authentication, so I've stripped the sites-enabled/default right down to pretty much just include the eap stuff for authorisation/authentication, and am doing all the rest inside the inner tunnel - fine. When the radius returns an access-accept, it runs the stuff in the inner-tunnel post_auth section ok, and I can record the attributes I want to a mysql db, including a custom ldap attribute inserted into a control variable. However it seems that following a reject, the post_auth reject section of inner-tunnel isn't actually used, so it doesn't record any info about the attributes in the sql database if I use an sql call. Ok .. so do it in the default post_auth reject bit - ok but I can't figure how to pass back control variables to the outer tunnel. I'd imagine it should be similar to the description in the post auth reject section of the inner tunnel : update outer.reply { User-Name = "%{request:User-Name}" } have u got use_tunneled_reply = yes set up in eap.conf? Rgds Alex But the section never gets called, so I tried putting it after the ldap authorization bit, as I can't do it in the authentication part, or so I gather (no unlang support in there?). In the below update, ldap-UserDescription is my custom attribute, which I can see from the logs is being populated : [ldap] description -> Ldap-UserDescription == "test ip phone" Authorize { .. .. ldap update outer.control { Ldap-UserDescription := "%{control:Ldap-UserDescription}" } } But again it doesn't make it through (or am I doing it wrong?) +- entering group REJECT {...} expand: %{control:Ldap-UserDescription} -> : ++[reply] returns noop Am I being stupid? The best thing would be for the post_auth reject section in inner tunnel to run, but failing that I need to work out the control item passback to the outer tunnel. Thanks for any help in advance! Andy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html