On 08/08/13 11:07, Shaw, Colin M. wrote:
difference. Lastly, for testing purposes, if I insert the required attributes into the default post-auth then it all works and the wired client is assigned the correct vlan, so again the switch side must be ok and I also therefore presume all the dictionary entries are there as required. But I shouldn’t need (or want) to do this.
Yes you should. You should always aim to set these attributes in post-auth; otherwise you'll see what you are seeing, the attributes getting set in access-challenge. This is a function of how EAP is processed by the server.
It’s as though the attributes are being removed or ignored somewhere in the PEAP/inner-tunnel process (but that’s just a guess). What am I just not getting here? I’m sure it must be something simple but I can’t see it.
Without a full debug, it's not obvious what you need to change, because it's not obvious what you are doing. But it *might* be that you've missed "use_tunneled_reply" in the "peap {}" section.
Hopefully this sort of thing has been done enough times that someone out there has fallen into whatever trap I currently find myself in and can point me in the right direction I need to be looking. But if not, I can of course supply the output of radiusd –X and the switch debug if it’s going to help any.
Yes, it will. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
