Arran Cudbard-Bell <[email protected]> wrote: > > On 1/17/2010 8:37 AM, Alexander Clouter wrote: >> James J J Hooper<[email protected]> wrote: >> >>> In order to also return e.g. VLAN IDs (that could be computed from the >>> inner User-Name in a non-session-resumption enabled config), I can move >>> the config that sets the VLAN to the outer tunnel post-auth&& ensure the >>> inner tunnel sets: >>> reply:outer User-Name to request:inner User-Name >>> and then key my VLAN computation (in outer post-auth) from reply:User-Name. >>> >> We have been doing authorisation depending on the outer layer since >> summer. > > How did you get around the "my policy rejects you now, but i've already > sent a tunneled success TLV in the TLS tunnel and you're now ignoring my > EAP-Failure messages" issue... or are you just happily ignoring it/ > encouraging adoption of TTLS-PAP like I was? :) > Probably as I do not use user *authorisation*... :P
It's nuts to do user authorisation for network nodes, user authorisation lives further up the stack and should stay in the realm of layer 5 where it belongs. What I do though is let user authentication 'bootstrap' the host authentication, so you think of it that "I user xyz vouch that I am responsible for MAC address abc for the duration of my session"; with that in mind you can forget about user authorisation...which is just a plain nasty idea anyway. If yer interested, you can see what I'm doing more or less: http://stuff.digriz.org.uk/freeradius-public-20100101.tar.gz Been a few minor changes/cleanups since though so be gentle ;) Cheers -- Alexander Clouter .sigmonster says: Preserve Wildlife! Throw a party today! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
