Thanks a lot guys, it's working properly now
Best regards
Anatoli
Arran Cudbard-Bell wrote:
Hi,
No. You should be running through your authorisation policies on
session resumption. All policies should be moved to the post-auth
section of the outer server.
but only the inner server knows the real id etc ?
Yes, so have it tell the outer server... Insert the (attached) snippet
into the authorize section of the inner server.
There's an issue where outer.reply items aren't merged with the reply
when doing EAP-TTLS-MSCHAPv2. So you still have to have
'use_tunneled_reply' set to yes.
I believe the User-Name attribute in outer.reply is cached, and
available for use on session resumption. So just:
Auth-Type EAP {
eap
if(ok && "%{reply:User-Name}"){
update request {
User-Name := "%{reply:User-Name}"
}
}
}
Once you've got the policies moved to post-auth, then any scripts or
lookups used for authorisation will only be run once, so far greater
efficiency with complex policies. Rejects are still handled properly
even within the Post-Auth section (jumps to Post-Auth-Type reject).
Arran
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------------------------------------------------------------------------
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
