Using Attributes to differentiate between different EAP types
Arran Cudbard-Bell
A.Cudbard-Bell at sussex.ac.uk
Tue Sep 15 22:17:38 CEST 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 15/09/2009 20:57, Nathan McDavit-Van Fleet wrote:
> Hrmm,
>
> Now that it's parsing I find that it doesn't work in terms of actually
> evaluating the EAP-Type.
>
> For if (control.EAP-Type==21) and (outer.control.EAP-Type==21) I always get
> a false even though I am testing for TTLS (21).
Erm... What..
if("%{control:EAP-Type}" == '21')
if("%{outer.control:EAP-Type}" == '21')
The list/attribute separator has always been a colon. Alan did some work to make naked variable expansion work, but I still generally stick to the double quoted curly braces consistency, or munging
variables together.
Don't worry about mixing types, the server just looks at the attribute type when doing conversions.
>
> Is there some way to just have the value thrown into the debug output so I
> can see what it is at that moment?
>
Yes
update request {
Tmp-String-0 := "%{outer.control:EAP-Type}"
}
Pretty sure you'll also have to have the 'Proxy as EAP' option set in the outer tunnel to get the inner EAP type... Else just insert a policy at the end of the authorize{} section in the inner tunnel
to look at control:Auth-Type...
Oh and remember to include cases for Identity-Responses and NAKs else you'll break things in weird and interesting ways :)
- -Arran
>
>> -----Original Message-----
>> From: freeradius-users-
>> bounces+nmcdavit=alcor.concordia.ca at lists.freeradius.org
>> [mailto:freeradius-users-
>> bounces+nmcdavit=alcor.concordia.ca at lists.freeradius.org] On Behalf Of
>> Nathan McDavit-Van Fleet
>> Sent: Tuesday, September 15, 2009 1:05 PM
>> To: 'FreeRadius users mailing list'
>> Subject: RE: Using Attributes to differentiate between different EAP types
>>
>> Okay,
>>
>> Probably everone but me knew this but"
>> If(blah == blah2)
>> {
>>
>> Doesn't work.
>>
>> You have to do
>>
>> If(blah == blah2) {
>>
>> So no returns for the first curly bracket or it won't parse out.
>>
>> Sorry,
>>
>> Nathan Van Fleet
>>
>>> -----Original Message-----
>>> From: freeradius-users-
>>> bounces+nmcdavit=alcor.concordia.ca at lists.freeradius.org
>>> [mailto:freeradius-users-
>>> bounces+nmcdavit=alcor.concordia.ca at lists.freeradius.org] On Behalf Of
>>> Ivan Kalik
>>> Sent: Tuesday, September 15, 2009 12:13 PM
>>> To: FreeRadius users mailing list
>>> Subject: RE: Using Attributes to differentiate between different EAP
>> types
>>>
>>>> I'm trying the following code, I've tried most every variation
>>>> ("request:EAP-Type", "request.EAP-Type","EAP-Type","outer.EAP-Type".)
>>> but
>>>> freeradius does not even parse the configuration. I've tried %{} and
>>> just
>>>> the bare variables (which works for "outer.NAS-IP-Address").
>>>
>>> It's the internal attribute (for local server use), so it should be on
>> the
>>> control list (control.EAP-Type).
>>>
>>> Ivan Kalik
>>> Kalik Informatika ISP
>>>
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/users.html
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- --
Arran Cudbard-Bell <A.Cudbard-Bell at sussex.ac.uk>,
Systems Administrator (AAA),
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkqv9mIACgkQcaklux5oVKL1RQCaA+QcE47BGJVD/8QbIaRGmguN
dpcAn1MC+D/xzXKhfxJUcIjwQewl360d
=Kh5N
-----END PGP SIGNATURE-----
More information about the Freeradius-Users
mailing list