Only run a single post-auth when using inner-tunnel

paul smith paulsmth37 at googlemail.com
Mon Mar 7 13:18:26 CET 2011


Thanks Phil, thats great works really well.

It has set me thinking about a variation though, using EAP-Message
would mean that it wouldn't run if it had been through the default
only, such as EAP-TLS.
Is there something else I could use which would indicate if
inner-tunnel had been used?

thanks,


On Mon, Mar 7, 2011 at 11:08 AM, Phil Mayers <p.mayers at imperial.ac.uk> wrote:
> On 07/03/11 10:10, paul smith wrote:
>
>> Is there some way I can tell the server not to run things in the
>> default post-auth, if the request has been through the inner-tunnel?
>>
>> I'm thinking putting something like the following in the default
>> post-auth section
>>
>>        if (!proxy-reply:Packet-Type == "Access-Accept") {
>>                radius-user-auth
>>        }
>
> How about:
>
> post-auth {
>  if (!EAP-Message) {
>    ...the exec module
>  }
> }
>
>>
>> However this always evaluates as true, even though I can see the
>> inner-tunnel authenticating successfully.
>
> Inner tunnel is not proxying, so proxy-reply is always empty, hence
> evaluates to "true". Don't confusing proxying with EAP phases.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>




More information about the Freeradius-Users mailing list