Hi!
> That doesn't work. You MUST return an EAP-Message attribute in the
> reply. Just sending an Access-Accept means that the NAS will *ignore*
> it, and close the connection.
I've removed the "Auth-Type := Accept" lines and keep the "ok" line. so it
looks this way
# EAP didn't work
if (EAP-Type == "NAK") {
update control {
MACAU-Reason := "unsupported EAP typ --> Client
misconfiguration"
}
}
else {
update control {
MACAU-Reason := "certificate invalid (e.g.
revoked/expired)"
}
}
ok
which leads to this
Tue May 28 09:49:44 2013 : Info: +++? if (EAP-Type == "NAK")
Tue May 28 09:49:44 2013 : Info: ? Evaluating (EAP-Type == "NAK") -> FALSE
Tue May 28 09:49:44 2013 : Info: +++? if (EAP-Type == "NAK") -> FALSE
Tue May 28 09:49:44 2013 : Info: +++- entering else else {...}
Tue May 28 09:49:44 2013 : Info: ++++[control] returns invalid
Tue May 28 09:49:44 2013 : Info: +++- else else returns invalid
Tue May 28 09:49:44 2013 : Info: ++- else else returns invalid
Tue May 28 09:49:44 2013 : Info: Failed to authenticate the user.
Tue May 28 09:49:44 2013 : Auth: Login incorrect (TLS Alert
write:fatal:certificate unknown): [host/xxxxxxxx/<via Auth-Type = EAP>] (from
client xxxxxxxxxxx port 1015 cli xxxxxxxxxxxx)
Tue May 28 09:49:44 2013 : Info: Using Post-Auth-Type Reject
Tue May 28 09:49:44 2013 : Info: # Executing group from file
/etc/raddb/sites-enabled/default
> And this kind of thing is generally not recommended, because the
> server isn't really designed to fail authentication, and then force a
> success.
> You should instead do as little as possible in the "authenticate"
> section. Just change the return code to "ok".
> Then do any policy setting (VLAN, etc.) in post-auth.
But I can't change a Reject to Accept in Post-Auth .. at least that's what I
read. Can you show me what I should to? I don't need to change VLANs .. just
need an accept, the VLAN is already correct (set in authorize already as it's
the same as for MAC authentication)
Robert
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
