PEAP/MSCHAP doesn't run post-auth in inner-tunnel for reject?

Phil Mayers p.mayers at imperial.ac.uk
Sat May 19 22:33:57 CEST 2012


Bruce Nunn <ironrake at yahoo.com> wrote:

>For my installations I've disabled the EAP cache to make things work
>better. Only a few users noticed. Does anyone know if the same thing
>happens In the 3.0 branch? I was planning to put one of my production
>servers on the 3.0 code this Summer.
>
>Alan DeKok <aland at deployingradius.com> wrote:
>
>>Phil Mayers wrote:
>>> Am I being dumb / getting something wrong or does the post-auth
>session
>>> not get called if PEAP/MSCHAP returns a reject?
>>> 
>>> It seems to run for successful auths, but not failures.
>>
>>  That is the case.
>>
>>> This is in the context of us not seeing log messages for EAP auth
>>> failures; I suspect that the client may just "hang up" and let the
>EAP
>>> session expire, and since the inner post-auth doesn't run, and the
>outer
>>> session expires, I have no logs.
>>
>>  There was talk about getting it to do Post-Auth-Type Reject in the
>>inner tunnel.  No code yet, tho.
>>
>>  Alan DeKok.
>>-
>>List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html
>-
>List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html

Eap cache? If you're referring to session caching, that's a completely different issue. Cached session resumption by design doesn't run any inner tunnel including post-auth. You need to set Cached-Session-Policy in the inner-tunnel then match it on outer tunnel.
-- 
Sent from my phone. Please excuse brevity and typos.


More information about the Freeradius-Users mailing list