On 27/01/11 21:30, Matt Garretson wrote:
On 1/27/2011 3:03 PM, Phil Mayers wrote:
I've met this need (using 2.1.11 from git) with a simple bit of unlang
in post-auth{}:
if ( "%{TLS-Client-Cert-Subject}" =~ /OU=Evil/ ) {
reject
}
Just put this in the "authorize" section? If it's early in the EAP
conversation, TLS-Client-* won't be set so won't match, meaning this
will succeed as soon as yo uget that far.
I'm not sure I follow you here. Are you saying that there is a place in
the authorize section where TLS-Client-* _would_ be accessible to
unlang? I've tried it in a few places (before eap, after eap, at the
top of the section, at the bottom of the section) and it seemed to have
no effect. But it's entirely possible that I missed something during
these tests.
You're right, I'm wrong.
EAP of course runs all its guts in the "authenticate" section, so
nothing is available during the "authorize" section.
Sorry for the noise.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
