Phil Mayers wrote: > Isn't there a problem with that approach though? Namely, that the TLS-* > attributes aren't available in the "authorize" section (because the eap > module, and all the EAP methods, do their with in "authenticate").
Yes. > But > in post-auth, turning an accept into a reject is fraught, and bad practice? The certs can be checked in the "authenticate" section, too. > This comes up occasionally when people want to check the TLS-* > attributes and act on them (as opposed to logging them). The rlm_eap code could be modified to look up the handler in the authorize section. If found, the certs could be added to the request. It's probably not a lot of code, and could be useful for 3.0. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
