PENZ Robert wrote:
> I want to configure Freeradius (freeradius-2.1.12-4.el6_3) to authenticate
> failed EAP-TLS requests (from authorized MACs) to a remediation VLAN and not
> reject them to the guest VLAN. My config looks like this:
That will work only for wired authentication, and sometimes not even then
> # EAP didn't work
> if (EAP-Type == "NAK") {
> update control {
> MACAU-Reason := "unsupported EAP typ --> Client
> misconfiguration"
> Auth-Type := Accept
That doesn't work. You MUST return an EAP-Message attribute in the
reply. Just sending an Access-Accept means that the NAS will *ignore*
it, and close the connection.
And this kind of thing is generally not recommended, because the
server isn't really designed to fail authentication, and then force a
success.
You should instead do as little as possible in the "authenticate"
section. Just change the return code to "ok".
Then do any policy setting (VLAN, etc.) in post-auth.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
