Andy, What version of FreeRadius are you using? I *think* that unless you are using the git source for 2.2.1, post-auth reject is broken. There was some stuff I was doing a few months ago that got fixed in 2.2.1 … but I'm getting old and can't remember all the details :-(
On 10 May 2013, at 13:53, Franks Andy (RLZ) IT Systems Engineer <andy.fra...@sath.nhs.uk> wrote: > Hi, > > This may have come up before but I can’t find any solutions : > > I’m using a NAS which always performs EAP/MSCHAP2 authentication, so I’ve > stripped the sites-enabled/default right down to pretty much just include the > eap stuff for authorisation/authentication, and am doing all the rest inside > the inner tunnel – fine. > > When the radius returns an access-accept, it runs the stuff in the > inner-tunnel post_auth section ok, and I can record the attributes I want to > a mysql db, including a custom ldap attribute inserted into a control > variable. > > However it seems that following a reject, the post_auth reject section of > inner-tunnel isn’t actually used, so it doesn’t record any info about the > attributes in the sql database if I use an sql call. > > Ok .. so do it in the default post_auth reject bit – ok but I can’t figure > how to pass back control variables to the outer tunnel. I’d imagine it should > be similar to the description in the post auth reject section of the inner > tunnel : > > update outer.reply { > > User-Name = "%{request:User-Name}" > > } > > have u got use_tunneled_reply = yes set up in eap.conf? Rgds Alex > But the section never gets called, so I tried putting it after the ldap > authorization bit, as I can’t do it in the authentication part, or so I > gather (no unlang support in there?). > > In the below update, ldap-UserDescription is my custom attribute, which I can > see from the logs is being populated : > > [ldap] description -> Ldap-UserDescription == "test ip phone" > > > Authorize { > > .. > > .. > > ldap > > update outer.control { > > Ldap-UserDescription := "%{control:Ldap-UserDescription}" > > } > > } > > But again it doesn’t make it through (or am I doing it wrong?) > > > +- entering group REJECT {...} > > expand: %{control:Ldap-UserDescription} -> : > > ++[reply] returns noop > > > Am I being stupid? The best thing would be for the post_auth reject section > in inner tunnel to run, but failing that I need to work out the control item > passback to the outer tunnel. > > Thanks for any help in advance! > > Andy > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html