Hi, >> No. You should be running through your authorisation policies on >> session resumption. All policies should be moved to the post-auth >> section of the outer server. >> > > but only the inner server knows the real id etc ? > Yes, so have it tell the outer server... Insert the (attached) snippet into the authorize section of the inner server.
There's an issue where outer.reply items aren't merged with the reply
when doing EAP-TTLS-MSCHAPv2. So you still have to have
'use_tunneled_reply' set to yes.
I believe the User-Name attribute in outer.reply is cached, and
available for use on session resumption. So just:
Auth-Type EAP {
eap
if(ok && "%{reply:User-Name}"){
update request {
User-Name := "%{reply:User-Name}"
}
}
}
Once you've got the policies moved to post-auth, then any scripts or
lookups used for authorisation will only be run once, so far greater
efficiency with complex policies. Rejects are still handled properly
even within the Post-Auth section (jumps to Post-Auth-Type reject).
Arran
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
#
# Workaround for EAP-TTLS MsCHAPv2, not adding outer.reply attributes
# If we use both methods we get duplicate User-Name attributes.
#
if(("%{outer.request:EAP-Type}" == 'EAP-TTLS') && ("%{control:Auth-Type}" ==
'MSCHAP')){
update reply {
User-Name := "%{Stripped-User-Name}"
}
}
else {
update outer.reply {
User-Name := "%{Stripped-User-Name}"
}
}
signature.asc
Description: OpenPGP digital signature
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
