Adam W. Sewell wrote: > I am using PEAP/MsChapv2. Exactly. There are multiple packet exchanges as part of one PEAP authentication.
> I am using a perl script to authorize the user access to the network based on > some information that is pulled out of a database via our perl script. This > part is working ok. What I want to happen is with the NAS-IP-Address being > sent back, I can tell the port on the switch (NAS) which policy this person > should have. This would work great if I could get some consistent data from > the NAS. Then put it in the "post-auth" section. In 2.0.5, raddb/sites-available/default, section post-auth. > Below are some excerpts from debug log and a log of the variables in > RAD_REQUEST for one of our test users. I've looked through the logs and all I > can come up with is that it looks like some of the packets are being proxyed > even though I have proxy turned off in the radius.conf file and have the > proxy.conf file commented out. Which explains what's going on. PEAP is really two things: an outer TLS session, and inner EAP-MSCHAPv2 authentication. So there are *two* streams of RADIUS packets. One that sets up the tunnel, and one that does the authentication inside of the tunnel. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html