unlang question

Alan DeKok aland at deployingradius.com
Wed Sep 26 17:32:24 CEST 2007


Norbert Wegener wrote:
> ... The client authenticates via a certificate. Everything
> works as expected. Nevertheless someone inspecting the switch logs found:
...
> and claimed, the Access-Challenge with Tunnel-Private-Group,
> Tunnel-Medium-Type etc. are not RFC compatible.

  Yes.

> I can see those values in radiusd -AX, too, but didn't care.
> 
> My question is:
> Is he right?
> If so: How would I have to change the configuration?

  Ideally, the attributes in the reply should be sent ONLY on
Access-Accept.  i.e. the configuration should NOT update the reply until
it has determined that the user has been authenticated.

  This involves moving most of the policy from the "authorize" section
to the "post-auth" section.


> In my sites-enabeld/default I have:
> ...  
> # ldap1/2 set control:Huntgroup-Name.
> 
>         redundant {

  Which section?  authorize?

  Alan DeKok.



More information about the Freeradius-Users mailing list