Andy,
What version of FreeRadius are you using?
I *think* that unless you are using the git source for 2.2.1, post-auth reject
is broken. There was some stuff I was doing a few months ago that got fixed in
2.2.1 … but I'm getting old and can't remember all the details :-(
On 10 May 2013, at 13:53, Franks Andy (RLZ) IT Systems Engineer
<andy.fra...@sath.nhs.uk> wrote:
> Hi,
>
> This may have come up before but I can’t find any solutions :
>
> I’m using a NAS which always performs EAP/MSCHAP2 authentication, so I’ve
> stripped the sites-enabled/default right down to pretty much just include the
> eap stuff for authorisation/authentication, and am doing all the rest inside
> the inner tunnel – fine.
>
> When the radius returns an access-accept, it runs the stuff in the
> inner-tunnel post_auth section ok, and I can record the attributes I want to
> a mysql db, including a custom ldap attribute inserted into a control
> variable.
>
> However it seems that following a reject, the post_auth reject section of
> inner-tunnel isn’t actually used, so it doesn’t record any info about the
> attributes in the sql database if I use an sql call.
>
> Ok .. so do it in the default post_auth reject bit – ok but I can’t figure
> how to pass back control variables to the outer tunnel. I’d imagine it should
> be similar to the description in the post auth reject section of the inner
> tunnel :
>
> update outer.reply {
>
> User-Name = "%{request:User-Name}"
>
> }
>
>
have u got
use_tunneled_reply = yes
set up in eap.conf?
Rgds
Alex
> But the section never gets called, so I tried putting it after the ldap
> authorization bit, as I can’t do it in the authentication part, or so I
> gather (no unlang support in there?).
>
> In the below update, ldap-UserDescription is my custom attribute, which I can
> see from the logs is being populated :
>
> [ldap] description -> Ldap-UserDescription == "test ip phone"
>
>
> Authorize {
>
> ..
>
> ..
>
> ldap
>
> update outer.control {
>
> Ldap-UserDescription := "%{control:Ldap-UserDescription}"
>
> }
>
> }
>
> But again it doesn’t make it through (or am I doing it wrong?)
>
>
> +- entering group REJECT {...}
>
> expand: %{control:Ldap-UserDescription} -> :
>
> ++[reply] returns noop
>
>
> Am I being stupid? The best thing would be for the post_auth reject section
> in inner tunnel to run, but failing that I need to work out the control item
> passback to the outer tunnel.
>
> Thanks for any help in advance!
>
> Andy
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
