*sigh*
You cannot do what you want. Even if you send an Access-Accept, the client will
most likely disconnect of its own accord, because you cannot fake a success
message in the inner tunnel. Unless of course you're using some weird funky
cisco client that ignores all the standards.
If you really don't believe us, try it for yourself:
Post-Auth {
Post-Auth-Type REJECT {
if("%{reply:EAP-Message}" =~ /0x04([0-9a-f]{2}).*/i){
update reply {
EAP-Message := "0x03%{1}0004"
}
}
update control {
Response-Packet-Type := Access-Accept
}
}
}
Note: Modifying Repost-Packet-Type that may not be supported in future versions.
-Arran
On 30 Aug 2012, at 17:52, Andras Ionut <[email protected]> wrote:
> Hi Phil,
>
> Sorry if this looks dump for you.
>
> I've read your post the reason I've explicitely asked how to do this in PEAP
> is because in the post it says:
> "This only works for PAP, and does NOT work for EAP-TLS, CHAP, MSCHAP, or
> WIMAX authentication."
>
> Now, I especially need to send Access-Accept for PEAP with inner
> EAP-MSCHAPv2, and I also I don't use MyQL to select the users.
> I've also tried to set Access-Accept as any other AVP from my Freeradius
> module, but doesn't work. (extract from log attached)
>
> Can you please help?
>
> Thanks in advance.
> Andras
>
>
>
>
>
> On 30/08/12 15:11, Andras Ionut wrote:
> > Hi Phil,
> >
> > Thanks a lot for the quick response.
> >
> > I need this for PEAP with EAP protocol inside the tunnel, like EAP-MSCHAPv2.
> >
> > Again, The device MUST reject the connection as EAP is not completed,
> > but the ROUTER needs that Access-Accept,
> > in order to be able to redirect user to portal.
> >
> > Can this be done?
>
> The technique to do this is described in the FAQ entry I linked. Did you
> read it?
>
> <radius.txt>-
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
