EAP/TTLS + virtual_server woes
Alexander Clouter
alex at digriz.org.uk
Fri Oct 2 08:34:39 CEST 2009
Ivan Kalik <tnt at kalik.net> wrote:
>
>> Okay, I munched over the source code and I'm guessing I'm being a
>> crettin, but I'm hoping you can tell me what I'm doing wrong.
>>
>> If you use the 'virtual_server' functionality in the ttls{} section of
>> eap.conf, everything works great if you get an Access-Accept from the
>> inner virtual server ('auth' for me). When I say "works great", I mean
>> the 'post-auth' section of the EAP calling ('auth-eap') virtual server
>> is munched through. However, if 'Access-Reject' is returned then
>> 'post-auth' is not parsed and it bombs immediently back out to the to
>> outer virtual server's ('dot1x') post-proxy section.
>
> Try testing the reply:Packet-Type there. If it's Access-Reject do those
> updates.
>
That's the problem, I cannot test *anything* there. Even if I make the
authenticate section:
Auth-Type EAP {
eap
if ( .... ) {
}
}
That 'if ()' block never gets checked.
To me it looks like it should go into 'post-auth {}' and then nosey for
a 'Post-Auth-Type Reject', but it does not do that either...annoyingly.
Not the end of the world, but it would let me see which usernames are
failing to login (as my logging occurs in 'dot1x' I only see there
'@example.com' and get 'auth' and 'auth-eap' to pass up the User-Name
to the outer virtual server).
Cheers
--
Alexander Clouter
.sigmonster says: Do, or do not; there is no try.
More information about the Freeradius-Users
mailing list